Create a gist now

Instantly share code, notes, and snippets.

@shramos /mitigate_service.py Secret
Last active Feb 16, 2018

Embed
What would you like to do?
import win32service
import win32serviceutil
import win32event
import win32security
import select
from multiprocessing.connection import Listener, Client
from winreg import *
from _winreg import HKEY_LOCAL_MACHINE as HKLM
from _winreg import HKEY_USERS
import os
class MitigateSvc(win32serviceutil.ServiceFramework):
"""Service class.
Note
----
_svc_name_ : str
You can NET START/STOP the service by the following name.
_svc_display_name_ : str
This text shows up as the service name in the Service.
_svc_description_ : str
This text shows up as the description in the SCM.
Attributes
----------
hWaitStop : :obj:`Event`
Event to listen for stop requests.
conn : :obj:`Connection`
Handles the connection of a Client.
"""
_svc_name_ = "MitigateSvc"
_svc_display_name_ = "Mitigate Service"
_svc_description_ = "This service mitigates the UAC bypass and DLL Hijacking"
DEBUG_KEY = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\"
def __init__(self, args):
win32serviceutil.ServiceFramework.__init__(self, args)
self.hWaitStop = win32event.CreateEvent(None, 0, 0, None)
self.conn = None
self.binlist = ['sdclt.exe']
self.user_name = 'santi'
def SvcDoRun(self):
"""Core logic of the service."""
registry = Registry()
rc = None
self.add_debugger(self.binlist)
while rc != win32event.WAIT_OBJECT_0:
print "Waiting for the listener..."
listener = Listener(('localhost', 5555), authkey="password")
self.conn = listener.accept()
rc = win32event.WaitForSingleObject(self.hWaitStop, 1000)
# if the service stops while it is waiting in the Listener
if rc == win32event.WAIT_OBJECT_0:
break
while True:
ready = select.select([self.conn], [], [], 999999)
if ready[0]:
print "Mensaje recibido, escribiendo..."
try:
data = self.conn.recv()
except:
print "Saliendo..."
self.conn = None
break
if type(data) is list and len(data) == 2 and data[0] in self.binlist:
self.del_debugger([data[0]])
# Managing the "bad" path
reg_path = self.get_hkcu() + "\\" + data[1]
k = registry.open_key(HKEY_USERS, reg_path)
if k:
registry.delete_key(HKEY_USERS, reg_path)
# Ejecucion del binario
print "Sending message to execute"
self.conn.send(["execute", data[0]])
ready2 = select.select([self.conn], [], [], 20)
# Setting the debugger key before breaking connection
self.add_debugger([data[0]])
self.conn.close()
listener.close()
self.conn = None
break
rc = win32event.WaitForSingleObject(self.hWaitStop, 1000)
# Aqui el codigo de finalizacion
self.del_debugger(self.binlist)
print "Cerrando el servicio"
# called when we're being shut down
def SvcStop(self):
# tell the SCM we're shutting down
self.ReportServiceStatus(win32service.SERVICE_STOP_PENDING)
# fire the stop event
win32event.SetEvent(self.hWaitStop)
# Close the listener
if self.conn:
self.conn.close()
else:
Client(('localhost', 5555), authkey='password')
def add_debugger(self, binlist):
"""Adds debugger registry key for each of the processes
in the list."""
registry = Registry()
for binary in binlist:
path = self.DEBUG_KEY + binary
k = registry.open_key(HKLM, path)
if not(k):
k = registry.create_key(HKLM, path)
payload = self.build_payload(binary[:-3] + "pyw")
registry.create_value(k,
"debugger",
payload)
def del_debugger(self, binlist):
"""Deletes debugger registry key for each of the processes
in the list."""
registry = Registry()
for binary in binlist:
path = self.DEBUG_KEY + binary
k = registry.open_key(HKLM, path)
if not(k):
return
registry.del_value(k, "debugger")
def build_payload(self, binary):
return "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell -Command \"\"\"\"& '%s%s'\"\"\"\"\"\", 0 : window.close\")" % (self.agents_path(), binary)
def agents_path(self):
dirpath = os.path.dirname(os.path.realpath(__file__))
return str(dirpath) + "\\agents\\"
def get_hkcu(self):
sid = win32security.LookupAccountName(None, self.user_name)[0]
return str(win32security.ConvertSidToStringSid(sid))
if __name__ == '__main__':
win32serviceutil.HandleCommandLine(MitigateSvc)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment