Merge branch 'outflanknl:main' into main

sliverarmory · Jun 21, 2023 · d5aaac1 · d5aaac1
2 parents a4d649a + f02df22
commit d5aaac1
Show file tree

Hide file tree

Showing 132 changed files with 15,727 additions and 389 deletions.
diff --git a/BOF/AddMachineAccount/MachineAccounts.cna b/BOF/AddMachineAccount/MachineAccounts.cna
@@ -17,7 +17,7 @@ alias GetMachineAccountQuota {
     $bid = $1;
 
     # Read in the right BOF file
-    $handle = openf(script_resource("GetMachineAccountQuota.o"));
+    $handle = openf(script_resource("GetMachineAccountQuota." . barch($bid) . ".o"));
     $data   = readb($handle, -1);
     closef($handle);
 
@@ -39,7 +39,7 @@ alias AddMachineAccount {
     }
 
     # Read in the right BOF file
-    $handle = openf(script_resource("AddMachineAccount.o"));
+    $handle = openf(script_resource("AddMachineAccount." . barch($bid) . ".o"));
     $data   = readb($handle, -1);
     closef($handle);
 
@@ -68,7 +68,7 @@ alias DelMachineAccount {
     }
 
     # Read in the right BOF file
-    $handle = openf(script_resource("DelMachineAccount.o"));
+    $handle = openf(script_resource("DelMachineAccount." . barch($bid) . ".o"));
     $data   = readb($handle, -1);
     closef($handle);
 

diff --git a/BOF/AddMachineAccount/MachineAccounts_bof.s1.py b/BOF/AddMachineAccount/MachineAccounts_bof.s1.py
@@ -0,0 +1,65 @@
+from typing import List, Tuple
+
+from outflank_stage1.task.base_bof_task import BaseBOFTask
+from outflank_stage1.task.enums import BOFArgumentEncoding
+
+
+class AddMachineAccountBOF(BaseBOFTask):
+    def __init__(self):
+        super().__init__("AddMachineAccount")
+
+        self.parser.description = (
+            "Add a computer account to the Active Directory domain."
+        )
+        self.parser.epilog = "Use Active Directory Service Interfaces (ADSI) to add a computer account to AD."
+
+        self.parser.add_argument("computername", help="Computer name")
+
+        self.parser.add_argument(
+            "password",
+            help="Password",
+            nargs="?",
+        )
+
+    def _encode_arguments_bof(
+        self, arguments: List[str]
+    ) -> List[Tuple[BOFArgumentEncoding, str]]:
+        parser_arguments = self.parser.parse_args(arguments)
+
+        if parser_arguments.password is not None:
+            return [
+                (BOFArgumentEncoding.WSTR, parser_arguments.computername),
+                (BOFArgumentEncoding.WSTR, parser_arguments.password),
+            ]
+
+        return [(BOFArgumentEncoding.WSTR, parser_arguments.computername)]
+
+
+class DelMachineAccountBOF(BaseBOFTask):
+    def __init__(self):
+        super().__init__("DelMachineAccount")
+
+        self.parser.description = (
+            "Remove a computer account from the Active Directory domain."
+        )
+        self.parser.epilog = "Use Active Directory Service Interfaces (ADSI) to delete a computer account from AD."
+
+        self.parser.add_argument("computername", help="Computer name")
+
+    def _encode_arguments_bof(
+        self, arguments: List[str]
+    ) -> List[Tuple[BOFArgumentEncoding, str]]:
+        parser_arguments = self.parser.parse_args(arguments)
+
+        return [(BOFArgumentEncoding.WSTR, parser_arguments.computername)]
+
+
+class GetMachineAccountQuota(BaseBOFTask):
+    def __init__(self):
+        super().__init__("GetMachineAccountQuota")
+
+        self.parser.description = (
+            "Read the MachineAccountQuota value from the Active Directory domain."
+        )
+
+        self.parser.epilog = "Use Active Directory Service Interfaces (ADSI) to read the ms-DS-MachineAccountQuota value from AD."
diff --git a/BOF/AddMachineAccount/SOURCE/AddMachineAccount.c b/BOF/AddMachineAccount/SOURCE/AddMachineAccount.c
@@ -24,9 +24,9 @@ void GenRandomStringW(LPWSTR lpFileName, INT len) {
 }
 
 void GetFormattedErrMsg(_In_ HRESULT hr) {
-    LPWSTR lpwErrorMsg = NULL;
+	LPWSTR lpwErrorMsg = NULL;
 
-    KERNEL32$FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,  
+	KERNEL32$FormatMessageW(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS,  
 	NULL,
 	(DWORD)hr,
 	MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
@@ -42,7 +42,7 @@ void GetFormattedErrMsg(_In_ HRESULT hr) {
 		BeaconPrintf(CALLBACK_ERROR, "HRESULT 0x%08lx", hr);
 	}
 
-    return;
+	return;
 }
 
 HRESULT CreateMachineAccount(_In_ LPCWSTR lpwComputername, _In_ LPCWSTR lpwPassword) {

diff --git a/BOF/AddMachineAccount/SOURCE/Makefile b/BOF/AddMachineAccount/SOURCE/Makefile
@@ -1,13 +1,19 @@
 SRC = $(wildcard *.c)
 OBJS = $(patsubst %.c, %.o, $(SRC))
+CC_x86 := i686-w64-mingw32-gcc
 CC_x64 := x86_64-w64-mingw32-gcc
+STRIP_x86 := i686-w64-mingw32-strip
 STRIP_x64 := x86_64-w64-mingw32-strip
+CFLAGS := -masm=intel
 
 all: $(OBJS)
 
 %.o: %.c
-	$(CC_x64) $(CFLAGS) -o ../$@ -c $<
-	$(STRIP_x64) --strip-unneeded ../$@
+	$(CC_x64) $(CFLAGS) -o ../$*.x64.o -c $<
+	$(STRIP_x64) --strip-unneeded ../$*.x64.o
+
+	$(CC_x86) $(CFLAGS) -o ../$*.x86.o -DWOW64 -fno-leading-underscore -c $<
+	$(STRIP_x86) --strip-unneeded ../$*.x86.o
 
 clean:
-	rm ../*.o
+	rm ../*.o
diff --git a/BOF/Askcreds/Askcreds.cna b/BOF/Askcreds/Askcreds.cna
@@ -10,7 +10,7 @@ alias Askcreds {
     $input = substr($0, 9);
 
     # Read in the right BOF file
-    $handle = openf(script_resource("Askcreds.o"));
+    $handle = openf(script_resource("Askcreds." . barch($bid) . ".o"));
     $data   = readb($handle, -1);
     closef($handle);
 

diff --git a/BOF/Askcreds/Askcreds_bof.s1.py b/BOF/Askcreds/Askcreds_bof.s1.py
@@ -0,0 +1,39 @@
+import argparse
+from typing import List, Tuple, Optional
+
+from outflank_stage1.implant import ImplantArch
+from outflank_stage1.task.base_bof_task import BaseBOFTask
+from outflank_stage1.task.enums import BOFArgumentEncoding
+
+
+class AskCredsBOF(BaseBOFTask):
+    def __init__(self):
+        super().__init__("Askcreds")
+
+        self.parser.description = (
+            "Collect passwords using CredUIPromptForWindowsCredentialsName."
+        )
+
+        self.parser.add_argument(
+            "reason",
+            help="This reason is displayed as part of the prompt (default: Restore Network Connection).",
+            nargs=argparse.REMAINDER,
+        )
+
+        self.parser.epilog = "Collect passwords by simply asking."
+
+    def _encode_arguments_bof(
+        self, arguments: List[str]
+    ) -> List[Tuple[BOFArgumentEncoding, str]]:
+        parser_arguments = self.parser.parse_args(arguments)
+
+        if parser_arguments.reason is None:
+            return []
+
+        return [(BOFArgumentEncoding.WSTR, " ".join(parser_arguments.reason))]
+
+    def run(self, arguments: List[str]):
+        self.append_response(
+            "Askcreds BOF by Outflank, waiting max 60sec for user input...\n"
+        )
+        super().run(arguments)