diff options
| -rw-r--r-- | TODO.md | 8 | ||||
| -rw-r--r-- | cmd/rpc.go | 2 | ||||
| -rw-r--r-- | cmd/scmr.go | 68 | ||||
| -rw-r--r-- | internal/client/dce/dce.go | 57 | ||||
| -rw-r--r-- | internal/exec/exec.go | 10 | ||||
| -rw-r--r-- | internal/exec/scmr/exec.go | 13 | ||||
| -rw-r--r-- | internal/exec/tsch/exec.go | 11 |
7 files changed, 118 insertions, 51 deletions
@@ -6,9 +6,11 @@ - [X] Add WMI module - [X] Clean up TSCH module -- [ ] Clean up SCMR module - - [ ] add dynamic string binding support - - [ ] general clean up. Use TSCH & WMI as reference +- [X] Clean up SCMR module + - [X] add dynamic string binding support + - [X] general clean up. Use TSCH & WMI as reference + +- [ ] WMI `reg` subcommand - read & edit the registry - [ ] Add DCOM module - [ ] MMC20.Application method @@ -23,7 +23,7 @@ func needsRpcTarget(proto string) func(cmd *cobra.Command, args []string) error if ok, err := regexp.MatchString(`^\w+$`, argDceEpmFilter); err == nil && ok { argDceEpmFilter += ":" } - dceConfig.Endpoint, err = dcerpc.ParseStringBinding(argDceEpmFilter) + dceConfig.EpmFilter, err = dcerpc.ParseStringBinding(argDceEpmFilter) if err != nil { return fmt.Errorf("failed to parse EPM filter: %w", err) } diff --git a/cmd/scmr.go b/cmd/scmr.go index 7772fc4..37b52eb 100644 --- a/cmd/scmr.go +++ b/cmd/scmr.go @@ -19,10 +19,17 @@ func scmrCmdInit() { if err := scmrCmd.MarkPersistentFlagRequired("executable-path"); err != nil { panic(err) } - scmrCmd.AddCommand(scmrChangeCmd) scmrCreateCmdInit() - scmrCmd.AddCommand(scmrCreateCmd) + scmrCmd.AddCommand(scmrChangeCmd) scmrChangeCmdInit() + scmrCmd.AddCommand(scmrCreateCmd) + scmrDeleteCmdInit() + scmrCmd.AddCommand(scmrDeleteCmd) +} + +func scmrCreateCmdInit() { + scmrCreateCmd.Flags().StringVarP(&scmrServiceName, "service-name", "s", "", "Name of service to create") + scmrCreateCmd.Flags().BoolVar(&scmrNoDelete, "no-delete", false, "Don't delete service after execution") } func scmrChangeCmdInit() { @@ -34,9 +41,11 @@ func scmrChangeCmdInit() { } } -func scmrCreateCmdInit() { - scmrCreateCmd.Flags().StringVarP(&scmrServiceName, "service-name", "s", "", "Name of service to create") - scmrCreateCmd.Flags().BoolVar(&scmrNoDelete, "no-delete", false, "Don't delete service after execution") +func scmrDeleteCmdInit() { + scmrDeleteCmd.Flags().StringVarP(&scmrServiceName, "service-name", "s", "", "Name of service to delete") + if err := scmrChangeCmd.MarkFlagRequired("service-name"); err != nil { + panic(err) + } } var ( @@ -57,7 +66,14 @@ var ( scmrCreateCmd = &cobra.Command{ Use: "create [target]", Short: "Create & run a new Windows service to gain execution", - Args: needsRpcTarget("cifs"), + Long: `Description: + The create method calls RCreateServiceW to create a new Windows service with + the provided executable & arguments as the lpBinaryPathName + +References: + https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6a8ca926-9477-4dd4-b766-692fab07227e +`, + Args: needsRpcTarget("cifs"), Run: func(cmd *cobra.Command, args []string) { if scmrServiceName == "" { @@ -137,24 +153,54 @@ var ( ServiceName: scmrServiceName, }, } - log = log.With(). + ctx = log.With(). Str("module", "scmr"). Str("method", "change"). - Logger() + Logger().WithContext(ctx) - if err := executor.Connect(log.WithContext(ctx), creds, target, connCfg); err != nil { + if err := executor.Connect(ctx, creds, target, connCfg); err != nil { log.Fatal().Err(err).Msg("Connection failed") } if !scmrNoDelete { defer func() { - if err := executor.Cleanup(log.WithContext(ctx), cleanCfg); err != nil { + if err := executor.Cleanup(ctx, cleanCfg); err != nil { log.Error().Err(err).Msg("Cleanup failed") } }() } - if err := executor.Exec(log.WithContext(ctx), execCfg); err != nil { + if err := executor.Exec(ctx, execCfg); err != nil { log.Error().Err(err).Msg("Execution failed") } }, } + scmrDeleteCmd = &cobra.Command{ + Use: "delete [target]", + Short: "Delete an existing Windows service", + Long: `Description: + +`, + Args: needsRpcTarget("cifs"), + Run: func(cmd *cobra.Command, args []string) { + + executor := scmrexec.Module{} + cleanCfg := &exec.CleanupConfig{ + CleanupMethod: scmrexec.CleanupMethodDelete, + } + connCfg := &exec.ConnectionConfig{ + ConnectionMethod: exec.ConnectionMethodDCE, + ConnectionMethodConfig: dceConfig, + } + ctx = log.With(). + Str("module", "scmr"). + Str("method", "delete"). + Logger().WithContext(ctx) + + if err := executor.Connect(ctx, creds, target, connCfg); err != nil { + log.Fatal().Err(err).Msg("Connection failed") + + } else if err = executor.Cleanup(ctx, cleanCfg); err != nil { + log.Fatal().Err(err).Msg("Delete failed") + } + }, + } ) diff --git a/internal/client/dce/dce.go b/internal/client/dce/dce.go index 1ddec65..f58123b 100644 --- a/internal/client/dce/dce.go +++ b/internal/client/dce/dce.go @@ -2,30 +2,29 @@ package dce import ( "context" + "errors" "fmt" "github.com/RedTeamPentesting/adauth" "github.com/RedTeamPentesting/adauth/dcerpcauth" "github.com/oiweiwei/go-msrpc/dcerpc" + "github.com/oiweiwei/go-msrpc/midl/uuid" "github.com/oiweiwei/go-msrpc/msrpc/epm/epm/v3" "github.com/oiweiwei/go-msrpc/ssp/gssapi" "github.com/rs/zerolog" ) -var ( - NP = "ncacn_np" - TCP = "ncacn_ip_tcp" - HTTP = "ncacn_http" -) - type ConnectionMethodDCEConfig struct { - NoEpm bool // NoEpm disables EPM - EpmAuto bool // EpmAuto will find any suitable endpoint, without any filter - Endpoint *dcerpc.StringBinding // Endpoint is the endpoint passed to dcerpc.WithEndpoint. ignored if EpmAuto is false + NoEpm bool // NoEpm disables EPM + EpmAuto bool // EpmAuto will find any suitable endpoint, without any filter + Insecure bool + NoSign bool + Endpoint *dcerpc.StringBinding // Endpoint is the explicit endpoint passed to dcerpc.WithEndpoint for use without EPM + EpmFilter *dcerpc.StringBinding // EpmFilter is the rough filter used to pick an EPM endpoint DceOptions []dcerpc.Option // DceOptions are the options passed to dcerpc.Dial EpmOptions []dcerpc.Option // EpmOptions are the options passed to epm.EndpointMapper } -func (cfg *ConnectionMethodDCEConfig) GetDce(ctx context.Context, creds *adauth.Credential, target *adauth.Target, opts ...dcerpc.Option) (cc dcerpc.Conn, err error) { +func (cfg *ConnectionMethodDCEConfig) GetDce(ctx context.Context, cred *adauth.Credential, target *adauth.Target, endpoint, object string, opts ...dcerpc.Option) (cc dcerpc.Conn, err error) { dceOpts := append(opts, cfg.DceOptions...) epmOpts := append(opts, cfg.EpmOptions...) @@ -37,17 +36,41 @@ func (cfg *ConnectionMethodDCEConfig) GetDce(ctx context.Context, creds *adauth. epmOpts = append(epmOpts, dcerpc.WithLogger(log)) ctx = gssapi.NewSecurityContext(ctx) - ao, err := dcerpcauth.AuthenticationOptions(ctx, creds, target, &dcerpcauth.Options{}) + auth, err := dcerpcauth.AuthenticationOptions(ctx, cred, target, &dcerpcauth.Options{}) if err != nil { log.Error().Err(err).Msg("Failed to parse authentication options") return nil, fmt.Errorf("parse auth options: %w", err) } - if cfg.Endpoint != nil && !cfg.EpmAuto { - dceOpts = append(dceOpts, dcerpc.WithEndpoint(cfg.Endpoint.String())) + addr := target.AddressWithoutPort() + log = log.With().Str("address", addr).Logger() + + if object != "" { + if id, err := uuid.Parse(object); err != nil { + log.Error().Err(err).Msg("Failed to parse input object UUID") + } else { + dceOpts = append(dceOpts, dcerpc.WithObjectUUID(id)) + } } - if !cfg.NoEpm { - dceOpts = append(dceOpts, - epm.EndpointMapper(ctx, target.AddressWithoutPort(), append(epmOpts, ao...)...)) + if cfg.Endpoint != nil { + dceOpts = append(dceOpts, dcerpc.WithEndpoint(cfg.Endpoint.String())) + log.Debug().Str("binding", cfg.Endpoint.String()).Msg("Using endpoint") + + } else if !cfg.NoEpm { + dceOpts = append(dceOpts, epm.EndpointMapper(ctx, addr, append(epmOpts, auth...)...)) + log.Debug().Msg("Using endpoint mapper") + + if cfg.EpmFilter != nil { + dceOpts = append(dceOpts, dcerpc.WithEndpoint(cfg.EpmFilter.String())) + log.Debug().Str("filter", cfg.EpmFilter.String()).Msg("Using endpoint filter") + } + } else if endpoint != "" { + dceOpts = append(dceOpts, dcerpc.WithEndpoint(endpoint)) + log.Debug().Str("endpoint", endpoint).Msg("Using default endpoint") + + } else { + log.Err(err).Msg("Invalid DCE connection options") + return nil, errors.New("get DCE: invalid connection options") } - return dcerpc.Dial(ctx, target.AddressWithoutPort(), append(dceOpts, ao...)...) + + return dcerpc.Dial(ctx, target.AddressWithoutPort(), append(dceOpts, auth...)...) } diff --git a/internal/exec/exec.go b/internal/exec/exec.go index 56edead..f3fe7ae 100644 --- a/internal/exec/exec.go +++ b/internal/exec/exec.go @@ -2,7 +2,9 @@ package exec import ( "context" + "fmt" "github.com/RedTeamPentesting/adauth" + "strings" ) const ( @@ -42,8 +44,12 @@ type Module interface { } func (cfg *ExecutionConfig) GetRawCommand() string { + executable := cfg.ExecutablePath + if strings.Contains(executable, " ") { + executable = fmt.Sprintf("%q", executable) + } if cfg.ExecutableArgs != "" { - return cfg.ExecutablePath + " " + cfg.ExecutableArgs + return executable + " " + cfg.ExecutableArgs } - return cfg.ExecutablePath + return executable } diff --git a/internal/exec/scmr/exec.go b/internal/exec/scmr/exec.go index c47fcee..588c580 100644 --- a/internal/exec/scmr/exec.go +++ b/internal/exec/scmr/exec.go @@ -9,18 +9,13 @@ import ( "github.com/FalconOpsLLC/goexec/internal/util" "github.com/FalconOpsLLC/goexec/internal/windows" "github.com/RedTeamPentesting/adauth" - "github.com/oiweiwei/go-msrpc/dcerpc" - "github.com/oiweiwei/go-msrpc/midl/uuid" "github.com/oiweiwei/go-msrpc/msrpc/scmr/svcctl/v2" "github.com/rs/zerolog" ) const ( - DefaultEndpoint = "ncacn_np:[srvsvc]" -) - -var ( - ScmrRpcUuid = uuid.MustParse("367ABB81-9844-35F1-AD32-98F038001003") + ScmrDefaultEndpoint = "ncacn_np:[svcctl]" + ScmrDefaultObject = "367ABB81-9844-35F1-AD32-98F038001003" ) func (mod *Module) Connect(ctx context.Context, creds *adauth.Credential, target *adauth.Target, ccfg *exec.ConnectionConfig) (err error) { @@ -41,7 +36,7 @@ func (mod *Module) Connect(ctx context.Context, creds *adauth.Credential, target } connect := func(ctx context.Context) error { // Create DCE connection - if mod.dce, err = cfg.GetDce(ctx, creds, target, dcerpc.WithObjectUUID(ScmrRpcUuid)); err != nil { + if mod.dce, err = cfg.GetDce(ctx, creds, target, ScmrDefaultEndpoint, ScmrDefaultObject); err != nil { log.Error().Err(err).Msg("Failed to initialize DCE dialer") return fmt.Errorf("create DCE dialer: %w", err) } @@ -191,7 +186,7 @@ func (mod *Module) Exec(ctx context.Context, ecfg *exec.ExecutionConfig) (err er ServiceManager: mod.scm, ServiceName: serviceName, DisplayName: util.RandomStringIfBlank(cfg.DisplayName), - BinaryPathName: util.CheckNullString(ecfg.GetRawCommand()), + BinaryPathName: ecfg.GetRawCommand(), ServiceType: windows.SERVICE_WIN32_OWN_PROCESS, StartType: windows.SERVICE_DEMAND_START, DesiredAccess: ServiceAllAccess, // TODO: Replace diff --git a/internal/exec/tsch/exec.go b/internal/exec/tsch/exec.go index 44f11d1..1996f27 100644 --- a/internal/exec/tsch/exec.go +++ b/internal/exec/tsch/exec.go @@ -8,19 +8,14 @@ import ( "github.com/FalconOpsLLC/goexec/internal/exec" "github.com/FalconOpsLLC/goexec/internal/util" "github.com/RedTeamPentesting/adauth" - "github.com/oiweiwei/go-msrpc/dcerpc" - "github.com/oiweiwei/go-msrpc/midl/uuid" "github.com/oiweiwei/go-msrpc/msrpc/tsch/itaskschedulerservice/v1" "github.com/rs/zerolog" "time" ) const ( - DefaultEndpoint = "ncacn_np:[atsvc]" -) - -var ( - TschRpcUuid = uuid.MustParse("86D35949-83C9-4044-B424-DB363231FD0C") + TschDefaultEndpoint = "ncacn_np:[atsvc]" + TschDefaultObject = "86D35949-83C9-4044-B424-DB363231FD0C" ) // Connect to the target & initialize DCE & TSCH clients @@ -34,7 +29,7 @@ func (mod *Module) Connect(ctx context.Context, creds *adauth.Credential, target return fmt.Errorf("invalid configuration for DCE connection method") } else { // Create DCERPC dialer - mod.dce, err = cfg.GetDce(ctx, creds, target, dcerpc.WithObjectUUID(TschRpcUuid)) + mod.dce, err = cfg.GetDce(ctx, creds, target, TschDefaultEndpoint, TschDefaultObject) if err != nil { log.Error().Err(err).Msg("Failed to create DCERPC dialer") return fmt.Errorf("create DCERPC dialer: %w", err) |