Merge pull request #1 from freefirex/main

Add majority of TrustedSec public Remote-Ops BOF's
sliverarmory · Jun 14, 2022 · d969aa2 · d969aa2
2 parents 6df67bc + 48f8921
commit d969aa2
Show file tree

Hide file tree

Showing 33 changed files with 655 additions and 3 deletions.
diff --git a/.github/workflows/autorelease.yml b/.github/workflows/autorelease.yml
@@ -54,6 +54,71 @@ jobs:
         run: |
           chmod +x ./make_bof.sh
           ./make_bof.sh enableuser
+      
+      - name: ProcessDestroy
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh ProcessDestroy
+
+      - name: ProcessListHandles
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh ProcessListHandles
+
+      - name: reg_delete
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh reg_delete
+
+      - name: reg_save
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh reg_save
+
+      - name: sc_config
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh sc_config
+
+      - name: sc_create
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh sc_create
+
+      - name: sc_delete
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh sc_delete
+
+      - name: sc_description
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh sc_description
+
+      - name: sc_start
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh sc_start
+
+      - name: sc_stop
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh sc_stop
+
+      - name: schtasksdelete
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh schtasksdelete
+
+      - name: schtasksstop
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh schtasksstop
+
+      - name: setuserpass
+        run: |
+          chmod +x ./make_bof.sh
+          ./make_bof.sh setuserpass
 
       - name: "Publish Release"
         uses: "marvinpinto/action-automatic-releases@latest"

diff --git a/src/Remote/ProcessDestroy/Makefile b/src/Remote/ProcessDestroy/Makefile
@@ -10,6 +10,7 @@ all:
 	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
 	mkdir -p ../../../Remote/$(BOFNAME) 
 	mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME)
+	cp extension.json ../../../Remote/$(BOFNAME)
 
 test:
 	$(CC_x64) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe  

diff --git a/src/Remote/ProcessDestroy/extension.json b/src/Remote/ProcessDestroy/extension.json
@@ -0,0 +1,37 @@
+{
+"name": "processdestroy",
+"version": "0.0.0",
+"command_name": "remote-process-destroy",
+"extension_author": "TrustedSec",
+"original_author": "TrustedSec",
+"repo_url": "N/A",
+"help": "Attempt to crash a local process by cutting all handles in it.",
+"depends_on": "coff-loader",
+"entrypoint": "go",
+"files": [
+{
+"os": "windows",
+"arch": "amd64",
+"path": "ProcessDestroy.x64.o"
+},
+{
+"os": "windows",
+"arch": "386",
+"path": "ProcessDestroy.x86.o"
+}
+],
+"arguments": [
+    {
+    "name": "pid",
+    "desc": "Process id to manipulate",
+    "type": "integer",
+    "optional": false
+    },
+    {
+    "name": "handleNumber",
+    "desc": "Handle ID you want to cut, cut all if not provided",
+    "type": "integer",
+    "optional": true
+    }
+]
+}
diff --git a/src/Remote/ProcessListHandles/Makefile b/src/Remote/ProcessListHandles/Makefile
@@ -10,6 +10,7 @@ all:
 	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
 	mkdir -p ../../../Remote/$(BOFNAME) 
 	mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME)
+	cp extension.json ../../../Remote/$(BOFNAME)
 
 test:
 	$(CC_x64) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe  

diff --git a/src/Remote/ProcessListHandles/extension.json b/src/Remote/ProcessListHandles/extension.json
@@ -0,0 +1,31 @@
+{
+"name": "ProcessListHandles",
+"version": "0.0.0",
+"command_name": "remote-process-list-handles",
+"extension_author": "TrustedSec",
+"original_author": "TrustedSec",
+"repo_url": "N/A",
+"help": "list the various handles a process has open",
+"depends_on": "coff-loader",
+"entrypoint": "go",
+"files": [
+{
+"os": "windows",
+"arch": "amd64",
+"path": "ProcessListHandles.x64.o"
+},
+{
+"os": "windows",
+"arch": "386",
+"path": "ProcessListHandles.x86.o"
+}
+],
+"arguments": [
+    {
+    "name": "pid",
+    "desc": "pid to list handles of",
+    "type": "int",
+    "optional": false
+    }
+]
+}
diff --git a/src/Remote/adcs_request/Makefile b/src/Remote/adcs_request/Makefile
@@ -10,6 +10,7 @@ all:
 	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
 	mkdir -p ../../../Remote/$(BOFNAME) 
 	mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME)
+	cp extension.json ../../../Remote/$(BOFNAME)
 
 test:
 	$(CC_x64) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe

diff --git a/src/Remote/chromeKey/Makefile b/src/Remote/chromeKey/Makefile
@@ -10,6 +10,7 @@ all:
 	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
 	mkdir -p ../../../Remote/$(BOFNAME) 
 	mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME)
+	cp extension.json ../../../Remote/$(BOFNAME)
 
 test:
 	$(CC_x64) entry.c -g $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe

diff --git a/src/Remote/enableuser/Makefile b/src/Remote/enableuser/Makefile
@@ -10,6 +10,7 @@ all:
 	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
 	mkdir -p ../../../Remote/$(BOFNAME) 
 	mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME)
+	cp extension.json ../../../Remote/$(BOFNAME)	
 
 test:
 	$(CC_x64) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe  

diff --git a/src/Remote/enableuser/extension.json b/src/Remote/enableuser/extension.json
@@ -32,6 +32,6 @@
         "desc": "Username to unlock / enable",
         "type": "wstring",
         "optional": false
-      }
-    ]
-  }
+    }
+]
+}
diff --git a/src/Remote/reg_delete/Makefile b/src/Remote/reg_delete/Makefile
@@ -10,6 +10,7 @@ all:
 	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
 	mkdir -p ../../../Remote/$(BOFNAME) 
 	mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME)
+	cp extension.json ../../../Remote/$(BOFNAME)
 
 test:
 	$(CC_x64) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe  

diff --git a/src/Remote/reg_delete/extension.json b/src/Remote/reg_delete/extension.json
@@ -0,0 +1,55 @@
+{
+"name": "reg_delete",
+"version": "0.0.0",
+"command_name": "remote-reg-delete",
+"extension_author": "TrustedSec",
+"original_author": "TrustedSec",
+"repo_url": "https://github.com/sliverarmory/CS-Remote-OPs-BOF",
+"help": "Delete a registry key or value",
+"depends_on": "coff-loader",
+"entrypoint": "go",
+"files": [
+{
+"os": "windows",
+"arch": "amd64",
+"path": "reg_delete.x64.o"
+},
+{
+"os": "windows",
+"arch": "386",
+"path": "reg_delete.x86.o"
+}
+],
+"arguments": [
+    {
+    "name": "hostname",
+    "desc": "\"\"=local else remote hostname",
+    "type": "string",
+    "optional": false
+    },
+    {
+    "name": "hive",
+    "desc": "0=HKCR|1=HKCU|2=HKLM|3=HKU",
+    "type": "int",
+    "optional": false
+    },
+    {
+    "name": "path",
+    "desc": "registry key path",
+    "type": "string",
+    "optional": false
+    },
+    {
+    "name": "value",
+    "desc": "value under key to delete, use \"\" when deleteing a whole key",
+    "type": "string",
+    "optional": false
+    },
+    {
+    "name": "Deletekey",
+    "desc": "Set to 1 when deleting a whole key",
+    "type": "int",
+    "optional": true
+    }
+]
+}
diff --git a/src/Remote/reg_save/Makefile b/src/Remote/reg_save/Makefile
@@ -10,6 +10,7 @@ all:
 	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
 	mkdir -p ../../../Remote/$(BOFNAME) 
 	mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME)
+	cp extension.json ../../../Remote/$(BOFNAME)
 
 test:
 	$(CC_x64) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe  

diff --git a/src/Remote/reg_save/extension.json b/src/Remote/reg_save/extension.json
@@ -0,0 +1,43 @@
+{
+"name": "reg_save",
+"version": "0.0.0",
+"command_name": "remote-reg-save",
+"extension_author": "TrustedSec",
+"original_author": "TrustedSec",
+"repo_url": "https://github.com/sliverarmory/CS-Remote-OPs-BOF",
+"help": "backup a registry have to a file on disk (requires Enabled SEBackup Priv)",
+"depends_on": "coff-loader",
+"entrypoint": "go",
+"files": [
+{
+"os": "windows",
+"arch": "amd64",
+"path": "reg_save.x64.o"
+},
+{
+"os": "windows",
+"arch": "386",
+"path": "reg_save.x86.o"
+}
+],
+"arguments": [
+    {
+    "name": "path",
+    "desc": "parent key to initiate save from",
+    "type": "string",
+    "optional": false
+    },
+    {
+    "name": "output_path",
+    "desc": "path on target disk to write backup to",
+    "type": "string",
+    "optional": false
+    },
+    {
+    "name": "hive",
+    "desc": "0=HKCR|1=HKCU|2=HKLM|3=HKU",
+    "type": "int",
+    "optional": false
+    }
+]
+}
diff --git a/src/Remote/reg_set/Makefile b/src/Remote/reg_set/Makefile
@@ -10,6 +10,8 @@ all:
 	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
 	mkdir -p ../../../Remote/$(BOFNAME) 
 	mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME)
+	# cp extension.json ../../../Remote/$(BOFNAME)
+	#TODO: c file needs to be re-written to account for lack of server side coding support in sliver
 
 test:
 	$(CC_x64) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe  

diff --git a/src/Remote/sc_config/Makefile b/src/Remote/sc_config/Makefile
@@ -10,6 +10,7 @@ all:
 	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
 	mkdir -p ../../../Remote/$(BOFNAME) 
 	mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME)
+	cp extension.json ../../../Remote/$(BOFNAME)
 
 test:
 	$(CC_x64) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe  

diff --git a/src/Remote/sc_config/extension.json b/src/Remote/sc_config/extension.json
@@ -0,0 +1,56 @@
+{
+"name": "sc_config",
+"version": "0.0.0",
+"command_name": "remote-sc-config",
+"extension_author": "TrustedSec",
+"original_author": "TrustedSec",
+"repo_url": "https://github.com/sliverarmory/CS-Remote-OPs-BOF",
+"help": "configure an existing service",
+"depends_on": "coff-loader",
+"entrypoint": "go",
+"files": [
+{
+"os": "windows",
+"arch": "amd64",
+"path": "sc_config.x64.o"
+},
+{
+"os": "windows",
+"arch": "386",
+"path": "sc_config.x86.o"
+}
+],
+"arguments": [
+    {
+    "name": "hostname",
+    "desc": "hostname to modify service on use \"\" for local system",
+    "type": "string",
+    "optional": false
+    },
+    {
+    "name": "service_name",
+    "desc": "name of service to configure",
+    "type": "string",
+    "optional": false
+    },
+    {
+    "name": "binpath",
+    "desc": "New binary path for service",
+    "type": "string",
+    "optional": false
+    },
+    {
+    "name": "error_mode",
+    "desc": "new error mode for service binary\n\t\t0=ignore|1=normal|2=severe|3=critical",
+    "type": "short",
+    "optional": false
+    },
+    {
+    "name": "start_mode",
+    "desc": "start mode for service\n\t\t2=auto|3=demand|4=disable",
+    "type": "short",
+    "optional": false
+    }
+
+]
+}
diff --git a/src/Remote/sc_create/Makefile b/src/Remote/sc_create/Makefile
@@ -10,6 +10,7 @@ all:
 	$(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF
 	mkdir -p ../../../Remote/$(BOFNAME) 
 	mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME)
+	cp extension.json ../../../Remote/$(BOFNAME)
 
 test:
 	$(CC_x64) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe