Exemplo n.º 1
0
        internal static void Unload(CommandLineParsing cLP)
        {
            string filter;

            if (!cLP.GetData("filter", out filter))
            {
                Console.WriteLine("[-] Filter Not Specified");
                return;
            }

            uint result = fltlib.FilterUnload(filter);

            if (0 != result)
            {
                if (2147943714 == result)
                {
                    Console.WriteLine("[-] Privilege Not Held (Probably SeLoadDriverPrivilege)");
                    return;
                }
                else if (2149515280 == result)
                {
                    Console.WriteLine("[-] Filter does not have a detach routine");
                    return;
                }
                Console.WriteLine("FilterUnload Failed: 0x{0}", result.ToString("X4"));
                return;
            }
            Console.WriteLine("[+] Filter Unloaded");
        }
Exemplo n.º 2
0
            public static bool ProcessInstallationArgs(string[] args)
            {
                var handledSomething = false;

                // Check if the installer is trying to get us to initialize the store
                // Only strictly needed for MultiUser scenario
                if (CommandLineParsing.HasSwitch("initialize", args))
                {
                    ExecuteCommandLineAction(
                        "Initializing Shared License Storage...",
                        SpAgent.Configuration.StoresInitialization.Initialize);
                    handledSomething = true;
                }

                // Verify the assumption that the installer has done its work by having the Agent Verify each of its registered stores
                // NB do not remove this line as it is responsible for ensuring the correct timely Configuration of the Licensing System.
                ReportInstallationActionIfDebug("Verifying Storage...");
                SpAgent.Configuration.VerifyStoresInitialized();
                ReportInstallationActionIfDebug("... verified.");

                // Check if the installer is trying to get us to activate a license
                var activationKey = CommandLineParsing.ArgumentOrDefault("activate", args);

                if (activationKey != null)
                {
                    ExecuteCommandLineAction(
                        "Activating License: " + activationKey,
                        () => SpAgent.Product.Activation.OnlineActivate(activationKey));
                    handledSomething = true;
                }

                return(handledSomething);
            }
Exemplo n.º 3
0
 ////////////////////////////////////////////////////////////////////////////////
 // List the privileges for a token
 ////////////////////////////////////////////////////////////////////////////////
 private static void _ListPrivileges(CommandLineParsing cLP, IntPtr hToken)
 {
     Console.WriteLine("Remote: " + cLP.Remote);
     Console.WriteLine("Impers: " + cLP.Impersonation);
     using (TokenInformation ti = new TokenInformation(hToken))
     {
         if (cLP.Remote && !cLP.Impersonation && ti.OpenProcessToken(cLP.ProcessID))
         {
             ti.SetWorkingTokenToRemote();
         }
         else if (cLP.Remote && cLP.Impersonation)
         {
             ti.ListThreads(cLP.ProcessID);
             ti.GetThreadPrivileges();
             return;
         }
         else if (!cLP.Remote && cLP.Impersonation)
         {
             ti.ListThreads(Process.GetCurrentProcess().Id);
             ti.GetThreadPrivileges();
             return;
         }
         else
         {
             ti.SetWorkingTokenToSelf();
         }
         ti.GetTokenPrivileges();
     }
 }
Exemplo n.º 4
0
 ////////////////////////////////////////////////////////////////////////////////
 // Enables, Disables, or Removes a privilege from a Token
 ////////////////////////////////////////////////////////////////////////////////
 private static void _AlterPrivilege(CommandLineParsing cLP, IntPtr hToken, Winnt.TokenPrivileges attribute)
 {
     using (TokenManipulation t = new TokenManipulation(hToken))
     {
         if (cLP.Remote && !cLP.Impersonation && t.OpenProcessToken(cLP.ProcessID))
         {
             t.SetWorkingTokenToRemote();
         }
         else if (cLP.Remote && cLP.Impersonation)
         {
             t.ListThreads(cLP.ProcessID);
             t.SetThreadTokenPrivilege(cLP.Privilege, attribute);
         }
         else if (!cLP.Remote && cLP.Impersonation)
         {
             t.ListThreads(Process.GetCurrentProcess().Id);
             t.SetThreadTokenPrivilege(cLP.Privilege, attribute);
         }
         else
         {
             t.SetWorkingTokenToSelf();
         }
         t.SetTokenPrivilege(cLP.Privilege, attribute);
     }
 }
Exemplo n.º 5
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        private static void _UnInstallDriver(CommandLineParsing cLP)
        {
            string service;

            if (cLP.GetData("servicename", out service))
            {
                using (PSExec p = new PSExec(service))
                {
                    if (!p.Connect("."))
                    {
                        return;
                    }

                    if (!p.Open())
                    {
                        return;
                    }

                    if (!p.Stop())
                    {
                        return;
                    }

                    if (!p.Delete())
                    {
                        return;
                    }
                }
            }
            else
            {
                Console.WriteLine("[-] Unable to identify /Service");
            }
        }
Exemplo n.º 6
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        private static void _AddPrivilege(CommandLineParsing cLP)
        {
            TokenDriver.PRIVILEGES priv = Misc.ParseEnum <TokenDriver.PRIVILEGES>(cLP.Privilege);

            using (TokenDriver td = new TokenDriver())
            {
                if (!td.Connect())
                {
                    Console.WriteLine("[-] Driver Connect Failed");
                    return;
                }

                Console.WriteLine("[+] Connected to Driver");
                if (cLP.Remote)
                {
                    TokenDriver.PRIVILEGE_DATA data = new TokenDriver.PRIVILEGE_DATA
                    {
                        ProcessID = (uint)cLP.ProcessID,
                        Privilege = priv,
                    };
                    td.AddTokenPrivilege(data);
                }
                else
                {
                    td.AddTokenPrivilege(priv);
                }
            }
            Console.WriteLine("[*] Disconnected from Driver");
        }
Exemplo n.º 7
0
        ////////////////////////////////////////////////////////////////////////////////
        // Starts Windows Module Installer and impersonates or starts a process with
        // the cloned token. There are better ways of doing this net .O
        ////////////////////////////////////////////////////////////////////////////////
        private static void _GetTrustedInstaller(CommandLineParsing cLP, IntPtr hToken)
        {
            bool exists, enabled;

            TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled);

            if (exists)
            {
                using (TokenManipulation t = new TokenManipulation(hToken))
                {
                    t.SetWorkingTokenToSelf();

                    if (!enabled)
                    {
                        t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
                    }

                    if (string.IsNullOrEmpty(cLP.Command))
                    {
                        t.GetTrustedInstaller();
                    }
                    else
                    {
                        t.GetTrustedInstaller(cLP.CommandAndArgs);
                    }
                }
            }
            else
            {
                Console.WriteLine("[-] SeDebugPrivilege Is Not Assigned to Token");
            }
        }
Exemplo n.º 8
0
        ////////////////////////////////////////////////////////////////////////////////
        // Runs a cmd prompt command
        ////////////////////////////////////////////////////////////////////////////////
        private static void _Run(CommandLineParsing cLP)
        {
            process = new Process();
            process.StartInfo.FileName               = cLP.Command;
            process.StartInfo.Arguments              = cLP.Arguments;
            process.StartInfo.CreateNoWindow         = true;
            process.StartInfo.UseShellExecute        = false;
            process.StartInfo.RedirectStandardInput  = true;
            process.StartInfo.RedirectStandardError  = true;
            process.StartInfo.RedirectStandardOutput = true;
            Console.WriteLine("[+] Starting {0}", cLP.CommandAndArgs);
            Console.WriteLine("[*] Note: The prompt is currently missing for input");
            Console.WriteLine();
            process.Start();

            Thread inThread  = new Thread(() => _SubProcessStdIn());
            Thread outThread = new Thread(() => _SubProcessStdOut());

            inThread.Start();
            outThread.Start();

            process.WaitForExit();

            inThread.Abort();
            outThread.Abort();
        }
Exemplo n.º 9
0
        ////////////////////////////////////////////////////////////////////////////////
        // https://github.com/numbnet/Win32-OpenSSH/blob/8dd7423e13ac0b88b3084ec95bc93ea09dec1fef/contrib/win32/win32compat/win32auth.c
        // https://github.com/bb107/WinSudo/blob/b2cb7700bd2f7ee59e2ef7f9ca20c2a671ce72a8/PrivilegeHelps/Security.cpp
        // https://www.exploit-db.com/papers/42556
        ////////////////////////////////////////////////////////////////////////////////
        private static void _CreateToken(CommandLineParsing cLP, IntPtr hToken)
        {
            try
            {
                using (CreateTokens ct = new CreateTokens(hToken))
                {
                    string[] groups = new string[0];
                    string   g;
                    if (cLP.GetData("groups", out g))
                    {
                        groups = (g).Split(new string[] { "," }, StringSplitOptions.RemoveEmptyEntries);
                    }

                    string user;
                    if (cLP.GetData("username", out user))
                    {
                        ct.SetWorkingTokenToSelf();
                        ct.CreateToken(user, groups, cLP.Command);
                    }
                    else
                    {
                        ct.SetWorkingTokenToSelf();
                        ct.CreateToken(groups, cLP.Command);
                    }
                }
            }
            catch (AccessViolationException ex)
            {
                Console.WriteLine(ex);
            }
        }
Exemplo n.º 10
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        private static bool _StealToken(CommandLineParsing cLP, IntPtr hToken)
        {
            using (TokenManipulation t = new TokenManipulation(hToken))
            {
                if (string.IsNullOrWhiteSpace(cLP.Command))
                {
                    if (0 != cLP.ProcessID && t.OpenProcessToken(cLP.ProcessID))
                    {
                        t.SetWorkingTokenToRemote();
                    }
                    else if (0 != cLP.ThreadID && t.OpenThreadToken((uint)cLP.ThreadID, Winnt.TOKEN_ALL_ACCESS))
                    {
                        t.SetWorkingTokenToThreadToken();
                    }
                    else
                    {
                        Console.WriteLine("[-] Process or Thread ID not Specified");
                        return(false);
                    }

                    if (t.ImpersonateUser())
                    {
                        return(true);
                    }
                }
                else
                {
                    if (0 != cLP.ProcessID && t.OpenProcessToken(cLP.ProcessID))
                    {
                        t.SetWorkingTokenToRemote();
                        if (!t.DuplicateToken(Winnt._SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation))
                        {
                            return(false);
                        }
                        t.SetWorkingTokenToNewToken();
                    }
                    else if (0 != cLP.ThreadID && t.OpenThreadToken((uint)cLP.ThreadID, Winnt.TOKEN_ALL_ACCESS))
                    {
                        t.SetWorkingTokenToThreadToken();
                    }
                    else
                    {
                        Console.WriteLine("[-] Process or Thread ID not Specified");
                        return(false);
                    }

                    if (t.StartProcessAsUser(cLP.Command))
                    {
                        return(true);
                    }
                }
                return(false);
            }
        }
Exemplo n.º 11
0
            public static bool ProcessUninitializationArgs(string[] args)
            {
                if (CommandLineParsing.HasSwitch("uninitialize", args))
                {
                    ExecuteCommandLineAction(
                        "Removing Shared License Storage...",
                        SpAgent.Configuration.StoresInitialization.Uninitialize);
                    return(true);
                }

                return(false);
            }
Exemplo n.º 12
0
 ////////////////////////////////////////////////////////////////////////////////
 //
 ////////////////////////////////////////////////////////////////////////////////
 private static void _CloneToken(CommandLineParsing cLP, IntPtr hToken)
 {
     try
     {
         using (CreateTokens ct = new CreateTokens(hToken))
         {
             ct.SetWorkingTokenToSelf();
             ct.CloneToken(cLP.ProcessID, cLP.Command);
         }
     }
     catch (AccessViolationException ex)
     {
         Console.WriteLine(ex);
     }
 }
Exemplo n.º 13
0
        ////////////////////////////////////////////////////////////////////////////////
        // Marks or unmarks a process as being critical
        ////////////////////////////////////////////////////////////////////////////////
        private static void _SetCriticalProcess(CommandLineParsing cLP, IntPtr hProcess)
        {
            string sSetting;

            cLP.GetData("state", out sSetting);

            bool bSetting;

            if (!bool.TryParse(sSetting, out bSetting))
            {
                Console.WriteLine("[-] Invalid Boolean Specified: {0}", sSetting);
                return;
            }

            uint uSetting = Convert.ToUInt32(bSetting);

            if (cLP.Remote)
            {
                hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_SET_INFORMATION, false, (uint)cLP.ProcessID);
                if (IntPtr.Zero == hProcess)
                {
                    Misc.GetWin32Error("OpenProcess");
                    kernel32.CloseHandle(hProcess);
                    return;
                }
            }

            uint status = ntdll.NtSetInformationProcess(hProcess, ntdll._PROCESS_INFORMATION_CLASS.ProcessBreakOnTermination, ref uSetting, (uint)System.Runtime.InteropServices.Marshal.SizeOf(typeof(uint)));

            if (0 != status)
            {
                Misc.GetNtError("NtSetInformationProcess", status);
                kernel32.CloseHandle(hProcess);
                return;
            }

            if (bSetting)
            {
                Console.WriteLine("[+] Process {0} is Marked as Critical", cLP.ProcessID);
            }
            else
            {
                Console.WriteLine("[+] Process {0} is Unmarked as Critical", cLP.ProcessID);
            }

            kernel32.CloseHandle(hProcess);
            return;
        }
Exemplo n.º 14
0
        ////////////////////////////////////////////////////////////////////////////////
        // List the instances / volumes attached to for a given minifilter
        ////////////////////////////////////////////////////////////////////////////////
        private static void _ListFiltersInstances(CommandLineParsing cLP)
        {
            string filter;

            if (!cLP.GetData("filter", out filter))
            {
                Console.WriteLine("[-] Filter Not Specified");
                return;
            }

            using (FilterInstance filterInstance = new FilterInstance(filter))
            {
                filterInstance.First();
                filterInstance.Next();
            }
        }
Exemplo n.º 15
0
        internal static void FilterDetach(CommandLineParsing cLP)
        {
            string filter;

            if (!cLP.GetData("filter", out filter))
            {
                Console.WriteLine("[-] /Filter: Not Specified");
                return;
            }

            string instance;

            if (!cLP.GetData("instance", out instance))
            {
                Console.WriteLine("[-] /Instance: Not Specified");
                return;
            }

            string volume;

            if (!cLP.GetData("volume", out volume))
            {
                Console.WriteLine("[-] /Volume: Not Specified");
                return;
            }

            uint result = fltlib.FilterDetach(filter, volume, instance);

            if (0 != result)
            {
                if (2147943714 == result)
                {
                    Console.WriteLine("[-] Privilege Not Held (Probably SeLoadDriverPrivilege)");
                    return;
                }
                else if (2149515280 == result)
                {
                    Console.WriteLine("[-] Filter does not have a detach routine");
                    return;
                }
                Console.WriteLine("FilterDetach Failed: 0x{0}", result.ToString("X4"));
                return;
            }

            Console.WriteLine("[+] Filter Detached");
        }
Exemplo n.º 16
0
        ////////////////////////////////////////////////////////////////////////////////
        // Steal a token from a named pipe, has some wierd corner cases
        ////////////////////////////////////////////////////////////////////////////////
        private static void _StealPipeToken(CommandLineParsing cLP)
        {
            if (string.IsNullOrEmpty(cLP.PipeName))
            {
                Console.WriteLine("[-] Pipename not set");
                return;
            }

            if (string.IsNullOrEmpty(cLP.Command))
            {
                NamedPipes.GetPipeToken(cLP.PipeName);
            }
            else
            {
                Console.WriteLine("[*] Running {0}", cLP.CommandAndArgs);
                NamedPipes.GetPipeToken(cLP.PipeName, cLP.Command, cLP.Arguments);
            }
        }
Exemplo n.º 17
0
        ////////////////////////////////////////////////////////////////////////////////
        // Use WMI to find processes that a user is running
        ////////////////////////////////////////////////////////////////////////////////
        private static void _FindUserProcessesWMI(CommandLineParsing cLP)
        {
            string user;

            if (!cLP.GetData("username", out user))
            {
                Console.WriteLine("[-] Username not specified");
                return;
            }
            Dictionary <uint, string> processes = UserSessions.EnumerateUserProcessesWMI(user);

            Console.WriteLine("{0,-30}{1,-30}", "Process ID", "Process Name");
            Console.WriteLine("{0,-30}{1,-30}", "----------", "------------");
            foreach (uint pid in processes.Keys)
            {
                Console.WriteLine("{0,-30}{1,-30}", pid, processes[pid]);
            }
        }
Exemplo n.º 18
0
        ////////////////////////////////////////////////////////////////////////////////
        // Pass through powershell command
        ////////////////////////////////////////////////////////////////////////////////
        private static void _RunPowerShell(CommandLineParsing cLP)
        {
            Runspace runspace = RunspaceFactory.CreateRunspace();

            runspace.Open();
            RunspaceInvoke scriptInvoker = new RunspaceInvoke(runspace);
            Pipeline       pipeline      = runspace.CreatePipeline();

            pipeline.Commands.AddScript(cLP.Command);
            pipeline.Commands.Add("Out-String");
            Collection <PSObject> results = pipeline.Invoke();

            runspace.Close();

            foreach (PSObject obj in results)
            {
                Console.WriteLine(obj.ToString());
            }
        }
Exemplo n.º 19
0
 ////////////////////////////////////////////////////////////////////////////////
 //
 ////////////////////////////////////////////////////////////////////////////////
 private static void _UnfreezeToken(CommandLineParsing cLP)
 {
     using (TokenDriver td = new TokenDriver())
     {
         if (!td.Connect())
         {
             Console.WriteLine("[-] Driver Connect Failed");
             return;
         }
         if (cLP.Remote)
         {
             td.UnFreezeToken((uint)cLP.ProcessID);
         }
         else
         {
             td.UnFreezeToken();
         }
     }
 }
Exemplo n.º 20
0
        ////////////////////////////////////////////////////////////////////////////////
        // Disable and remove all the privileges on a given token
        ////////////////////////////////////////////////////////////////////////////////
        private static void _NukePrivileges(CommandLineParsing cLP, IntPtr hToken)
        {
            using (TokenManipulation t = new TokenManipulation(hToken))
            {
                if (cLP.Remote)
                {
                    t.SetWorkingTokenToRemote();
                    if (!t.OpenProcessToken(cLP.ProcessID))
                    {
                        return;
                    }
                }
                else
                {
                    t.SetWorkingTokenToSelf();
                }

                t.DisableAndRemoveAllTokenPrivileges();
            }
        }
Exemplo n.º 21
0
        ////////////////////////////////////////////////////////////////////////////////
        // Impersonates a SYSTEM token or creates a new process with the cloned token
        ////////////////////////////////////////////////////////////////////////////////
        private static void _GetSystem(CommandLineParsing cLP, IntPtr hToken)
        {
            bool exists, enabled;

            TokenInformation.CheckTokenPrivilege(hToken, "SeDebugPrivilege", out exists, out enabled);

            if (exists)
            {
                using (TokenManipulation t = new TokenManipulation(hToken))
                {
                    t.SetWorkingTokenToSelf();

                    if (!enabled)
                    {
                        t.SetTokenPrivilege(Winnt.SE_DEBUG_NAME, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
                    }


                    if (string.IsNullOrEmpty(cLP.Command))
                    {
                        t.GetSystem();
                    }
                    else
                    {
                        t.GetSystem(cLP.CommandAndArgs);
                    }
                }
            }
            else
            {
                if (string.IsNullOrEmpty(cLP.Command))
                {
                    NamedPipes.GetSystem();
                }
                else
                {
                    NamedPipes.GetSystem(cLP.Command, cLP.Arguments);
                }
            }
        }
Exemplo n.º 22
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        private static void _AddGroup(CommandLineParsing cLP, IntPtr hToken)
        {
            string groups;

            if (!cLP.GetData("groups", out groups))
            {
                return;
            }

            using (TokenManipulation t = new TokenManipulation(hToken))
            {
                if (cLP.Remote && t.OpenProcessToken(cLP.ProcessID))
                {
                    t.SetWorkingTokenToRemote();
                }
                else
                {
                    t.SetWorkingTokenToSelf();
                }

                t.SetTokenGroup(groups, false);
            }
        }
Exemplo n.º 23
0
        ////////////////////////////////////////////////////////////////////////////////
        // Starts the KernelTokens Driver
        ////////////////////////////////////////////////////////////////////////////////
        private static void _StartDriver(CommandLineParsing cLP)
        {
            string sn;

            if (!cLP.GetData("ServiceName", out sn))
            {
                Console.WriteLine("[-] ServiceName not set");
                return;
            }


            PSExec p = new PSExec(sn);

            if (!p.Connect("."))
            {
                Console.WriteLine("[-] Unable to connect to service controller");
                return;
            }
            if (!p.Start())
            {
                return;
            }
        }
Exemplo n.º 24
0
        ////////////////////////////////////////////////////////////////////////////////
        // Module to check if a process is marked as critical
        ////////////////////////////////////////////////////////////////////////////////
        private static void _IsCriticalProcess(CommandLineParsing cLP, IntPtr hProcess)
        {
            if (cLP.Remote)
            {
                hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_QUERY_INFORMATION, false, (uint)cLP.ProcessID);
                if (IntPtr.Zero == hProcess)
                {
                    Misc.GetWin32Error("OpenProcess");
                    return;
                }
            }

            bool bIsCritical = false;

            if (!kernel32.IsProcessCritical(hProcess, ref bIsCritical))
            {
                Misc.GetWin32Error("IsProcessCritical");
                kernel32.CloseHandle(hProcess);
                return;
            }
            Console.WriteLine("[*] Process Critical State: {0}", bIsCritical);
            kernel32.CloseHandle(hProcess);
            return;
        }
Exemplo n.º 25
0
 ////////////////////////////////////////////////////////////////////////////////
 // UAC Token Magic - Deprecated
 ////////////////////////////////////////////////////////////////////////////////
 private static void _BypassUAC(CommandLineParsing cLP, IntPtr hToken)
 {
     Console.WriteLine("[*] Notice: This no longer working on versions of Windows 10 > 1703");
     if (cLP.Remote)
     {
         using (RestrictedToken rt = new RestrictedToken(hToken))
         {
             rt.BypassUAC(cLP.ProcessID, cLP.Command);
         }
     }
     else
     {
         string name = WindowsIdentity.GetCurrent().Name;
         Dictionary <uint, string> uacUsers = UserSessions.EnumerateUserProcesses(true, name);
         foreach (uint pid in uacUsers.Keys)
         {
             Console.WriteLine("\n[*] Attempting Bypass with PID {0} ({1})", pid, uacUsers[pid]);
             using (RestrictedToken rt = new RestrictedToken(hToken))
             {
                 rt.BypassUAC((int)pid, cLP.Command);
             }
         }
     }
 }
Exemplo n.º 26
0
        ////////////////////////////////////////////////////////////////////////////////
        // Terminates a given process
        ////////////////////////////////////////////////////////////////////////////////
        private static void _Terminate(CommandLineParsing cLP)
        {
            if (cLP.Remote)
            {
                IntPtr hProcess = kernel32.OpenProcess(ProcessThreadsApi.ProcessSecurityRights.PROCESS_TERMINATE, false, (uint)cLP.ProcessID);
                if (IntPtr.Zero == hProcess)
                {
                    Misc.GetWin32Error("OpenProcess");
                    return;
                }
                Console.WriteLine("[*] Recieved Process Handle 0x{0}", hProcess.ToString("X4"));

                if (!kernel32.TerminateProcess(hProcess, 0))
                {
                    Misc.GetWin32Error("TerminateProcess");
                    return;
                }
                Console.WriteLine("[+] Process Terminated");
            }
            else
            {
                Console.WriteLine("[-] Unable to identify Process ID");
            }
        }
Exemplo n.º 27
0
        ////////////////////////////////////////////////////////////////////////////////
        // Mainloop
        ////////////////////////////////////////////////////////////////////////////////
        internal void Run()
        {
            try
            {
                Console.Write(context);
                string input;
                if (activateTabs)
                {
                    try
                    {
                        input = console.ReadLine();
                    }
                    catch (InvalidOperationException)
                    {
                        input = Console.ReadLine();
                    }
                }
                else
                {
                    input = Console.ReadLine();
                }

                IntPtr hToken, tempToken;
                hToken = tempToken = IntPtr.Zero;

                bool remote = _GetProcessID(input, out processID, out command);
                if (!remote)
                {
                    hProcess = hBackup;
                    kernel32.OpenProcessToken(hProcess, Winnt.TOKEN_ALL_ACCESS, out hToken);
                    if (IntPtr.Zero == hToken)
                    {
                        Console.WriteLine("[-] Opening Process Token Failed, Opening Thread Token");
                        IntPtr hThread = kernel32.GetCurrentThread();
                        kernel32.OpenThreadToken(hThread, Winnt.TOKEN_ALL_ACCESS, true, ref hToken);
                        if (IntPtr.Zero == hToken)
                        {
                            Console.WriteLine("[-] Opening Thread Token Failed, Recommend RevertToSelf");
                        }
                    }
                }
                string             action = Misc.NextItem(ref input);
                CommandLineParsing cLP    = new CommandLineParsing();
                if (!string.Equals(action, input, StringComparison.OrdinalIgnoreCase))
                {
                    if (!cLP.Parse(input))
                    {
                        return;
                    }
                }

                switch (action)
                {
                case "add_group":
                    _AddGroup(cLP, hToken);
                    break;

                case "add_privilege":
                    _AddPrivilege(cLP);
                    break;

                case "bypassuac":
                    _BypassUAC(cLP, hToken);
                    break;

                case "clear_desktop_acl":
                    _ClearDesktopACL();
                    break;

                case "clone_token":
                    _CloneToken(cLP, hToken);
                    break;

                case "create_token":
                    _CreateToken(cLP, hToken);
                    break;

                case "delete_driver":
                    _UnInstallDriver(cLP);
                    break;

                case "detach_filter":
                    Filters.FilterDetach(cLP);
                    break;

                case "disable_privilege":
                    _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_NONE);
                    break;

                case "enable_privilege":
                    _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_ENABLED);
                    break;

                case "exit":
                    Environment.Exit(0);
                    break;

                case "find_user_processes":
                    _FindUserProcesses(cLP);
                    break;

                case "find_user_processes_wmi":
                    _FindUserProcessesWMI(cLP);
                    break;

                case "getinfo":
                    _Info(cLP, hToken);
                    break;

                case "getsystem":
                    _GetSystem(cLP, hToken);
                    break;

                case "get_system":
                    _GetSystem(cLP, hToken);
                    break;

                case "gettrustedinstaller":
                    _GetTrustedInstaller(cLP, hToken);
                    break;

                case "get_trustedinstaller":
                    _GetTrustedInstaller(cLP, hToken);
                    break;

                case "help":
                    _Help(input);
                    break;

                case "history":
                    console.GetHistory();
                    break;

                case "info":
                    _Info(cLP, hToken);
                    break;

                case "install_driver":
                    _InstallDriver(cLP);
                    break;

                case "list_filters":
                    _ListFilters();
                    break;

                case "list_filter_instances":
                    _ListFiltersInstances(cLP);
                    break;

                case "list_privileges":
                    _ListPrivileges(cLP, hToken);
                    break;

                case "logon_user":
                    _LogonUser(cLP, hToken);
                    break;

                case "nuke_privileges":
                    _NukePrivileges(cLP, hToken);
                    break;

                case "pid":
                    Console.WriteLine("[+] Process ID: {0}", Process.GetCurrentProcess().Id);
                    Console.WriteLine("[+] Parent ID:  {0}", Process.GetCurrentProcess().Parent().Id);
                    break;

                case "remove_privilege":
                    _AlterPrivilege(cLP, hToken, Winnt.TokenPrivileges.SE_PRIVILEGE_REMOVED);
                    break;

                case "is_critical_process":
                    _IsCriticalProcess(cLP, hProcess);
                    break;

                case "set_critical_process":
                    _SetCriticalProcess(cLP, hProcess);
                    break;

                case "reverttoself":
                    Console.WriteLine(advapi32.RevertToSelf() ? "[*] Reverted token to " + WindowsIdentity.GetCurrent().Name : "[-] RevertToSelf failed");
                    break;

                case "run":
                    _Run(cLP);
                    break;

                case "runas":
                    _RunAsNetOnly(cLP);
                    break;

                case "runpowershell":
                    _RunPowerShell(cLP);
                    break;

                case "sample_processes":
                    _SampleProcess();
                    break;

                case "sample_processes_wmi":
                    _SampleProcessWMI();
                    break;

                case "sessions":
                    UserSessions.EnumerateInteractiveUserSessions();
                    break;

                case "start_driver":
                    _StartDriver(cLP);
                    break;

                case "steal_pipe_token":
                    _StealPipeToken(cLP);
                    break;

                case "steal_token":
                    _StealToken(cLP, hToken);
                    break;

                case "tasklist":
                    UserSessions.Tasklist();
                    break;

                case "terminate":
                    _Terminate(cLP);
                    break;

                case "unfreeze_token":
                    _UnfreezeToken(cLP);
                    break;

                case "uninstall_driver":
                    _UnInstallDriver(cLP);
                    break;

                case "unload_filter":
                    Filters.Unload(cLP);
                    break;

                case "whoami":
                    Console.WriteLine("[*] Operating as {0}", WindowsIdentity.GetCurrent().Name);
                    break;

                default:
                    _Help(input);
                    break;
                }

                if (IntPtr.Zero != hToken)
                {
                    kernel32.CloseHandle(hToken);
                }
            }
            catch (Exception error)
            {
                Console.WriteLine(error.ToString());
                Misc.GetWin32Error("MainLoop");
            }
            Console.WriteLine();
        }
 /// <summary>
 /// Called when command line is parsing.
 /// </summary>
 /// <param name="args">The arguments of the event.</param>
 /// <returns><c>true</c> if arguments was handled, <c>false</c> otherwise.</returns>
 public void OnCommandLineParsing(CommandLineParseEventArgs args)
 {
     CommandLineParsing?.Invoke(this, args);
 }
Exemplo n.º 29
0
        ////////////////////////////////////////////////////////////////////////////////
        // sc create TokenDriver binPath="C:\Windows\System32\kerneltokens.sys" type=kernel
        ////////////////////////////////////////////////////////////////////////////////
        private static void _InstallDriver(CommandLineParsing cLP)
        {
            //string servicename = Misc.NextItem(ref command);
            //string path = Misc.NextItem(ref command);
            //string force = Misc.NextItem(ref command);

            string serviceName = "TokenDriver";
            string sn;

            if (cLP.GetData("ServiceName", out sn))
            {
                serviceName = sn;
            }

            string path = string.Empty;
            string p;

            if (cLP.GetData("Path", out p))
            {
                path = (string)p;
            }

            bool   overwrite = false;
            object f;

            if (cLP.GetData("Force", out f))
            {
                overwrite = true;
            }

            Console.WriteLine("[*] Service Name: " + serviceName);
            Console.WriteLine("[*] Service Path: " + path);

            PSExec psexec = new PSExec(serviceName);

            if (!psexec.Connect("."))
            {
                Console.WriteLine("[-] Unable to connect to service controller");
                return;
            }

            string filename;

            try
            {
                filename = Path.GetFullPath(path);
            }
            catch (Exception ex)
            {
                if (ex is ArgumentException)
                {
                    filename = CreateProcess.FindFilePath(path);
                    if (string.IsNullOrEmpty(filename))
                    {
                        Console.WriteLine("[-] Unable to locate service binary");
                        return;
                    }
                }
                else
                {
                    return;
                }
            }

            Console.WriteLine("[*] Full Path: " + filename);

            if (!File.Exists(filename))
            {
                Console.WriteLine("[-] Unable to find service binary: {0}");
                return;
            }

            if (!psexec.Open())
            {
                if (!psexec.CreateDriver(filename, overwrite))
                {
                    return;
                }
                if (!psexec.Open())
                {
                    return;
                }
            }

            if (!psexec.Start())
            {
                return;
            }
        }
Exemplo n.º 30
0
        ////////////////////////////////////////////////////////////////////////////////
        //
        ////////////////////////////////////////////////////////////////////////////////
        private static void _LogonUser(CommandLineParsing cLP, IntPtr hToken)
        {
            string username;

            if (!cLP.GetData("username", out username))
            {
                return;
            }

            string domain   = ".";
            string password = string.Empty;

            Winbase.LOGON_TYPE logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_INTERACTIVE;
            if (username.Contains('\\') && !username.ToLower().StartsWith("nt service"))
            {
                string[] split = username.Split('\\').ToArray();
                domain   = split.FirstOrDefault();
                username = split.LastOrDefault();
                if (!cLP.GetData("password", out password))
                {
                    return;
                }
                Console.WriteLine("User Logon");
            }
            else if (username.Contains('\\') && username.ToLower().StartsWith("nt service"))
            {
                string[] split = username.Split('\\').ToArray();
                username  = split.LastOrDefault();
                logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
                domain    = "NT SERVICE";
                Console.WriteLine("Service Logon");
            }
            else
            {
                switch (username.ToLower().Trim())
                {
                case "localservice":
                    username  = "******";
                    logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
                    domain    = "NT AUTHORITY";
                    break;

                case "localsystem":
                    username  = "******";
                    logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
                    domain    = "NT AUTHORITY";
                    break;

                case "networkservice":
                    username  = "******";
                    logonType = Winbase.LOGON_TYPE.LOGON32_LOGON_SERVICE;
                    domain    = "NT AUTHORITY";
                    break;

                default:
                    cLP.GetData("password", out password);
                    break;
                }
            }

            using (TokenManipulation t = new TokenManipulation(hToken))
            {
                string groups;
                if (cLP.GetData("groups", out groups))
                {
                    t.LogonUser(domain, username, password, groups, logonType, cLP.Command, cLP.Arguments);
                }
                else
                {
                    t.LogonUser(domain, username, password, logonType, cLP.Command, cLP.Arguments);
                }
            }
        }