Merge pull request #1088 from SecureAuthCorp/pr-605-catchup

Add silent command

Author: 0xdeaddood

examples/atexec.py

@@ -37,7 +37,7 @@
 
 class TSCH_EXEC:
     def __init__(self, username='', password='', domain='', hashes=None, aesKey=None, doKerberos=False, kdcHost=None,
-                 command=None, sessionId=None):
+                 command=None, sessionId=None, silentCommand=False):
         self.__username = username
         self.__password = password
         self.__domain = domain
@@ -47,6 +47,7 @@ def __init__(self, username='', password='', domain='', hashes=None, aesKey=None
         self.__doKerberos = doKerberos
         self.__kdcHost = kdcHost
         self.__command = command
+        self.__silentCommand = silentCommand
         self.sessionId = sessionId
 
         if hashes is not None:
@@ -157,7 +158,8 @@ def cmd_split(cmdline):
     </Exec>
   </Actions>
 </Task>
-        """ % (xml_escape(cmd), xml_escape(args))
+        """ % ((xml_escape(cmd) if self.__silentCommand is False else self.__command.split()[0]), 
+            (xml_escape(args) if self.__silentCommand is False else " ".join(self.__command.split()[1:])))
         taskCreated = False
         try:
             logging.info('Creating task \\%s' % tmpName)
@@ -201,6 +203,10 @@ def cmd_split(cmdline):
             dce.disconnect()
             return
 
+        if self.__silentCommand:
+            dce.disconnect()
+            return
+
         smbConnection = rpctransport.get_smb_connection()
         waitOnce = True
         while True:
@@ -222,7 +228,7 @@ def cmd_split(cmdline):
                     raise
         logging.debug('Deleting file ADMIN$\\Temp\\%s' % tmpFileName)
         smbConnection.deleteFile('ADMIN$', 'Temp\\%s' % tmpFileName)
- 
+
         dce.disconnect()
 
 
@@ -235,8 +241,9 @@ def cmd_split(cmdline):
     parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
     parser.add_argument('command', action='store', nargs='*', default=' ', help='command to execute at the target ')
     parser.add_argument('-session-id', action='store', type=int, help='an existed logon session to use (no output, no cmd.exe)')
-
     parser.add_argument('-ts', action='store_true', help='adds timestamp to every logging output')
+    parser.add_argument('-silentcommand', action='store_true', default = False, help='does not execute cmd.exe to run '
+                                                                                     'given command (no output)')
     parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
     parser.add_argument('-codec', action='store', help='Sets encoding used (codec) from the target\'s output (default '
                                                        '"%s"). If errors are detected, run chcp.com at the target, '
@@ -303,5 +310,5 @@ def cmd_split(cmdline):
         options.k = True
 
     atsvc_exec = TSCH_EXEC(username, password, domain, options.hashes, options.aesKey, options.k, options.dc_ip,
-                           ' '.join(options.command), options.session_id)
+                           ' '.join(options.command), options.session_id, options.silentcommand)
     atsvc_exec.play(address)

examples/dcomexec.py

@@ -98,8 +98,8 @@ def getInterface(self, interface, resp):
                       oxid=objRef['std']['oxid'], oid=objRef['std']['oxid'],
                       target=interface.get_target()))
 
-    def run(self, addr):
-        if self.__noOutput is False:
+    def run(self, addr, silentCommand=False):
+        if self.__noOutput is False and silentCommand is False:
             smbConnection = SMBConnection(addr, addr)
             if self.__doKerberos is False:
                 smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
@@ -163,17 +163,21 @@ def run(self, addr):
 
                 iActiveView = IDispatch(self.getInterface(iMMC, resp['pVarResult']['_varUnion']['pdispVal']['abData']))
                 pExecuteShellCommand = iActiveView.GetIDsOfNames(('ExecuteShellCommand',))[0]
-                self.shell = RemoteShellMMC20(self.__share, (iMMC, pQuit), (iActiveView, pExecuteShellCommand), smbConnection, self.__shell_type)
+                self.shell = RemoteShellMMC20(self.__share, (iMMC, pQuit), (iActiveView, pExecuteShellCommand), smbConnection, self.__shell_type, silentCommand)
             else:
                 resp = iDocument.GetIDsOfNames(('Application',))
                 resp = iDocument.Invoke(resp[0], 0x409, DISPATCH_PROPERTYGET, dispParams, 0, [], [])
 
                 iActiveView = IDispatch(self.getInterface(iMMC, resp['pVarResult']['_varUnion']['pdispVal']['abData']))
                 pExecuteShellCommand = iActiveView.GetIDsOfNames(('ShellExecute',))[0]
-                self.shell = RemoteShell(self.__share, (iMMC, pQuit), (iActiveView, pExecuteShellCommand), smbConnection, self.__shell_type)
+                self.shell = RemoteShell(self.__share, (iMMC, pQuit), (iActiveView, pExecuteShellCommand), smbConnection, self.__shell_type, silentCommand)
 
             if self.__command != ' ':
-                self.shell.onecmd(self.__command)
+                try:
+                    self.shell.onecmd(self.__command)
+                except TypeError:
+                    if not silentCommand:
+                        raise
                 if self.shell is not None:
                     self.shell.do_exit('')
             else:
@@ -196,7 +200,7 @@ def run(self, addr):
         dcom.disconnect()
 
 class RemoteShell(cmd.Cmd):
-    def __init__(self, share, quit, executeShellCommand, smbConnection, shell_type):
+    def __init__(self, share, quit, executeShellCommand, smbConnection, shell_type, silentCommand=False):
         cmd.Cmd.__init__(self)
         self._share = share
         self._output = '\\' + OUTPUT_FILENAME
@@ -207,6 +211,7 @@ def __init__(self, share, quit, executeShellCommand, smbConnection, shell_type):
         self.__quit = quit
         self._executeShellCommand = executeShellCommand
         self.__transferClient = smbConnection
+        self._silentCommand = silentCommand
         self._pwd = 'C:\\windows\\system32'
         self._noOutput = False
         self.intro = '[!] Launching semi-interactive shell - Careful what you execute\n[!] Press help for extra shell commands'
@@ -365,11 +370,15 @@ def output_callback(data):
         self.__transferClient.deleteFile(self._share, self._output)
 
     def execute_remote(self, data, shell_type='cmd'):
-        if shell_type == 'powershell':
-            data = '$ProgressPreference="SilentlyContinue";' + data
-            data = self.__pwsh + b64encode(data.encode('utf-16le')).decode()
+        if self._silentCommand is True:
+            self._shell = data.split()[0]
+            command = ' '.join(data.split()[1:])
+        else:
+            if shell_type == 'powershell':
+                data = '$ProgressPreference="SilentlyContinue";' + data
+                data = self.__pwsh + b64encode(data.encode('utf-16le')).decode()
+            command = '/Q /c ' + data
 
-        command = '/Q /c ' + data
         if self._noOutput is False:
             command += ' 1> ' + '\\\\127.0.0.1\\%s' % self._share + self._output + ' 2>&1'
 
@@ -430,11 +439,15 @@ def send_data(self, data):
 
 class RemoteShellMMC20(RemoteShell):
     def execute_remote(self, data, shell_type='cmd'):
-        if shell_type == 'powershell':
-            data = '$ProgressPreference="SilentlyContinue";' + data
-            data = self._RemoteShell__pwsh + b64encode(data.encode('utf-16le')).decode()
+        if self._silentCommand is True:
+            self._shell = data.split()[0]
+            command = ' '.join(data.split()[1:])
+        else:
+            if shell_type == 'powershell':
+                data = '$ProgressPreference="SilentlyContinue";' + data
+                data = self._RemoteShell__pwsh + b64encode(data.encode('utf-16le')).decode()
+            command = '/Q /c ' + data
 
-        command = '/Q /c ' + data
         if self._noOutput is False:
             command += ' 1> ' + '\\\\127.0.0.1\\%s' % self._share + self._output  + ' 2>&1'
 
@@ -532,6 +545,7 @@ def load_smbclient_auth_file(path):
 
     parser = argparse.ArgumentParser(add_help = True, description = "Executes a semi-interactive shell using the "
                                                                     "ShellBrowserWindow DCOM object.")
+
     parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
     parser.add_argument('-share', action='store', default = 'ADMIN$', help='share where the output will be grabbed from '
                                                                            '(default ADMIN$)')
@@ -548,12 +562,12 @@ def load_smbclient_auth_file(path):
                         help='DCOM object to be used to execute the shell command (default=ShellWindows)')
     parser.add_argument('-com-version', action='store', metavar = "MAJOR_VERSION:MINOR_VERSION", help='DCOM version, '
                         'format is MAJOR_VERSION:MINOR_VERSION e.g. 5.7')
-
     parser.add_argument('-shell-type', action='store', default = 'cmd', choices = ['cmd', 'powershell'], help='choose '
                         'a command processor for the semi-interactive shell')
-
     parser.add_argument('command', nargs='*', default = ' ', help='command to execute at the target. If empty it will '
                                                                   'launch a semi-interactive shell')
+    parser.add_argument('-silentcommand', action='store_true', default = False,
+                        help='does not execute cmd.exe to run given command (no output, cannot run dir/cd/etc.)')
 
     group = parser.add_argument_group('authentication')
 
@@ -588,6 +602,9 @@ def load_smbclient_auth_file(path):
     if ' '.join(options.command) == ' ' and options.nooutput is True:
         logging.error("-nooutput switch and interactive shell not supported")
         sys.exit(1)
+    if options.silentcommand and options.command == ' ':
+        logging.error("-silentcommand switch and interactive shell not supported")
+        sys.exit(1)
 
     if options.debug is True:
         logging.getLogger().setLevel(logging.DEBUG)
@@ -627,7 +644,7 @@ def load_smbclient_auth_file(path):
 
         executer = DCOMEXEC(' '.join(options.command), username, password, domain, options.hashes, options.aesKey,
                             options.share, options.nooutput, options.k, options.dc_ip, options.object, options.shell_type)
-        executer.run(address)
+        executer.run(address, options.silentcommand)
     except (Exception, KeyboardInterrupt) as e:
         if logging.getLogger().level == logging.DEBUG:
             import traceback