Author Topic: how to save a payload ?  (Read 3927 times)

0 Members and 1 Guest are viewing this topic.

GMib

  • Jr. Member
  • **
  • Posts: 26
  • Karma: 0
    • View Profile
how to save a payload ?
« on: September 18, 2013, 10:40:28 AM »
hi, I can not save a payload, it would be possible to have an example?

Code: [Select]
import ctypes as _ctypes
from ctypes.wintypes import HWND as _HWND, HANDLE as _HANDLE,DWORD as _DWORD,LPCWSTR as _LPCWSTR,MAX_PATH as _MAX_PATH, create_unicode_buffer as _cub
_SHGetFolderPath = _ctypes.windll.shell32.SHGetFolderPathW

def get(intFolder):
    _SHGetFolderPath.argtypes = [_HWND, _ctypes.c_int, _HANDLE, _DWORD, _LPCWSTR]
    auPathBuffer = _cub(_MAX_PATH)
    exit_code=_SHGetFolderPath(0, intFolder, 0, 0, auPathBuffer)
    return auPathBuffer.value

#print get(23)
#print get(2)

userProgramsPath = get(2)
programsPath = get(23)

import fnmatch
import os

dictUserPrograms = {}
for root, dirnames, filenames in os.walk(userProgramsPath):
  for filename in fnmatch.filter(filenames, '*.lnk'):
      dictUserPrograms[os.path.join(root, filename)] = filename.replace(".lnk","")

#print dictUserPrograms
vc.savePayloadFile("payloads", dictUserPrograms, 1)


an example for each method would be welcome. (I did not understand how to use or what is the method getObject)


jitterjames

  • Administrator
  • Hero Member
  • *****
  • Posts: 7714
  • Karma: 116
    • View Profile
    • VoxCommando
Re: how to save a payload ?
« Reply #1 on: September 18, 2013, 12:25:58 PM »
I will play with this a bit and get back to you.

jitterjames

  • Administrator
  • Hero Member
  • *****
  • Posts: 7714
  • Karma: 116
    • View Profile
    • VoxCommando
Re: how to save a payload ?
« Reply #2 on: September 18, 2013, 01:45:51 PM »
OK.  Your code is very close to working.  Thank-you for posting it, it is very nice!

First of all, it is important to note that we are using iron python and when calling VC methods we must keep in mind that we python is talking to C# so a few extra steps are involved when dealing with things like lists and dictionaries.  When using simple variables such as strings and integers it is not an issue.

Here is a working version of your code.

Code: [Select]
import ctypes as _ctypes
from ctypes.wintypes import HWND as _HWND, HANDLE as _HANDLE,DWORD as _DWORD,LPCWSTR as _LPCWSTR,MAX_PATH as _MAX_PATH, create_unicode_buffer as _cub
_SHGetFolderPath = _ctypes.windll.shell32.SHGetFolderPathW
from System.Collections.Generic import Dictionary,List

def get(intFolder):
    _SHGetFolderPath.argtypes = [_HWND, _ctypes.c_int, _HANDLE, _DWORD, _LPCWSTR]
    auPathBuffer = _cub(_MAX_PATH)
    exit_code=_SHGetFolderPath(0, intFolder, 0, 0, auPathBuffer)
    return auPathBuffer.value

#print get(23)
#print get(2)

userProgramsPath = get(2)
programsPath = get(23)

import fnmatch
import os

dictUserPrograms = Dictionary[str,str]()
for root, dirnames, filenames in os.walk(userProgramsPath):
  for filename in fnmatch.filter(filenames, '*.lnk'):
      #print filename
      dictUserPrograms[os.path.join(root, filename)] = filename.replace(".lnk","")

#print dictUserPrograms
vc.savePayloadFile("startmenu.xml", dictUserPrograms, 1)

So the first thing I needed to add was the line:
Code: [Select]
from System.Collections.Generic import Dictionary,List
(actually we probably don't need to import List here, but we might need it for some other methods)

then when declaring the dictionary we change
Code: [Select]
dictUserPrograms = {}to
Code: [Select]
dictUserPrograms = Dictionary[str,str]()
Now our dictionary is in a format that c# can understand when we pass it back in the vc.savePayloadFile method.

jitterjames

  • Administrator
  • Hero Member
  • *****
  • Posts: 7714
  • Karma: 116
    • View Profile
    • VoxCommando
Re: how to save a payload ?
« Reply #3 on: September 18, 2013, 01:51:26 PM »
One extra note:

Be careful using subset matching with this payloadXml.  Unless you are going to edit the phrases and turn subset matching off, then I recommend that any commands using this payload should have the "confirmation required" option set to true.

Also, your filename parameter should include the xml.  So instead of "payload", I chaged it to "startmenu.xml".  Even better would be to put it in a subfolder, so I would use this code, which also turns subset matching off:

Code: [Select]
vc.savePayloadFile("payloads\startmenu.xml", dictUserPrograms, False)

GMib

  • Jr. Member
  • **
  • Posts: 26
  • Karma: 0
    • View Profile
Re: how to save a payload ?
« Reply #4 on: September 18, 2013, 01:56:30 PM »
yeah it works;) C # is too complicated for me. That is why the examples are useful;)
thank you alot

jitterjames

  • Administrator
  • Hero Member
  • *****
  • Posts: 7714
  • Karma: 116
    • View Profile
    • VoxCommando
Re: how to save a payload ?
« Reply #5 on: September 18, 2013, 02:21:26 PM »
I don't really think C# is that complicated, but the interface between the two different languages can be a bit tricky.

GMib

  • Jr. Member
  • **
  • Posts: 26
  • Karma: 0
    • View Profile
Re: how to save a payload ?
« Reply #6 on: September 18, 2013, 03:12:59 PM »
Here is the final script :

Code: [Select]
import ctypes as _ctypes
from ctypes.wintypes import HWND as _HWND, HANDLE as _HANDLE,DWORD as _DWORD,LPCWSTR as _LPCWSTR,MAX_PATH as _MAX_PATH, create_unicode_buffer as _cub
_SHGetFolderPath = _ctypes.windll.shell32.SHGetFolderPathW
from System.Collections.Generic import Dictionary,List
import fnmatch
import os

def get(intFolder):
    _SHGetFolderPath.argtypes = [_HWND, _ctypes.c_int, _HANDLE, _DWORD, _LPCWSTR]
    auPathBuffer = _cub(_MAX_PATH)
    exit_code=_SHGetFolderPath(0, intFolder, 0, 0, auPathBuffer)
    return auPathBuffer.value

userProgramsPath = get(2)
programsPath = get(23)

dictUserPrograms = {}
for root, dirnames, filenames in os.walk(userProgramsPath):
  for filename in fnmatch.filter(filenames, '*.lnk'):
    dictUserPrograms[os.path.join(root, filename)] = filename.replace(".lnk","")

dictPrograms = {}
for root, dirnames, filenames in os.walk(programsPath):
  for filename in fnmatch.filter(filenames, '*.lnk'):
    dictPrograms[os.path.join(root, filename)] = filename.replace(".lnk","")
   
dictPrograms.update(dictUserPrograms)
dictPayload = Dictionary[str,str](dictPrograms)


if not os.path.isdir('Userpayloads') :
os.makedirs('Userpayloads')
vc.savePayloadFile("Userpayloads\startmenu.xml", dictPayload, 1)


I have a problem with windows shortcuts that all appear in English ;(

Code: [Select]
<value>C:\Users\GMib\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk</value>
in french windows the shortcut is Loupe.lnk but i don't know how to get the french version of folder and file.
If someone have idea ? ;)

GMib

  • Jr. Member
  • **
  • Posts: 26
  • Karma: 0
    • View Profile
Re: how to save a payload ?
« Reply #7 on: September 18, 2013, 03:20:52 PM »
One extra note:

Be careful using subset matching with this payloadXml.  Unless you are going to edit the phrases and turn subset matching off, then I recommend that any commands using this payload should have the "confirmation required" option set to true.


i've miss this post ;)

je compte sur l'option "don't execute if alternates" quand il sera possible de l'activer pour une seule commande ;)
I look on the "do not execute if alternates" option when it will be possible to activate for single command ;)

jitterjames

  • Administrator
  • Hero Member
  • *****
  • Posts: 7714
  • Karma: 116
    • View Profile
    • VoxCommando
Re: how to save a payload ?
« Reply #8 on: September 18, 2013, 06:54:06 PM »
in french windows the shortcut is Loupe.lnk but i don't know how to get the french version of folder and file.
If someone have idea ? ;)

Maybe these links will give you some ideas...

The basic idea is to use windll.shell32.SHGetFileInfo and SHGFI_DISPLAYNAME

https://mail.python.org/pipermail/python-list/2003-May/228405.html
http://nullege.com/codes/show/src@c@o@coldlauncher-HEAD@coldlib@coldos@winicon.py

I have tried to figure it out myself and I can't get it to work!

GMib

  • Jr. Member
  • **
  • Posts: 26
  • Karma: 0
    • View Profile
Re: how to save a payload ?
« Reply #9 on: September 19, 2013, 10:45:15 AM »
yeah, you're the best ;)
as indicated here : http://ironpython.codeplex.com/workitem/22829, i've just added bytes(path) on your first link and it's works.

Code: [Select]
from ctypes import *
from ctypes.wintypes import HWND , HANDLE,DWORD ,LPCWSTR ,MAX_PATH , create_unicode_buffer as _cub
_SHGetFolderPath = windll.shell32.SHGetFolderPathW
from System.Collections.Generic import Dictionary,List
import fnmatch
import os

def get(intFolder):
    _SHGetFolderPath.argtypes = [HWND, c_int, HANDLE, DWORD, LPCWSTR]
    auPathBuffer = _cub(MAX_PATH)
    exit_code=_SHGetFolderPath(0, intFolder, 0, 0, auPathBuffer)
    return auPathBuffer.value

userProgramsPath = get(2)
programsPath = get(23)

MAX_PATH = 260
HICON = c_int

class SHFILEINFO(Structure):
    _fields_ = [("hIcon", HICON),
                ("iIcon", c_int),
                ("dwAttributes", c_uint),
                ("szDisplayName", c_char * MAX_PATH),
                ("szTypeName", c_char * 80)]


SHGFI_DISPLAYNAME       = 0x000000200

shfileinfo = SHFILEINFO()

flags = SHGFI_DISPLAYNAME

dictUserPrograms = {}
for root, dirnames, filenames in os.walk(userProgramsPath):
  for filename in fnmatch.filter(filenames, '*.lnk'):
    windll.shell32.SHGetFileInfo(bytes(os.path.join(root, filename)) , 0, byref(shfileinfo), sizeof(shfileinfo), flags)
    dictUserPrograms[os.path.join(root, filename)] = shfileinfo.szDisplayName

dictPrograms = {}
for root, dirnames, filenames in os.walk(programsPath):
  for filename in fnmatch.filter(filenames, '*.lnk'):
    windll.shell32.SHGetFileInfo(bytes(os.path.join(root, filename)) , 0, byref(shfileinfo), sizeof(shfileinfo), flags)
    dictPrograms[os.path.join(root, filename)] = shfileinfo.szDisplayName
    
dictPrograms.update(dictUserPrograms)
dictPayload = Dictionary[str,str](dictPrograms)


if not os.path.isdir('Userpayloads') :
os.makedirs('Userpayloads')
vc.savePayloadFile("Userpayloads\startmenu.xml", dictPayload, 1)

Code: [Select]
<value>C:\Users\GMib\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk</value>
        <phrase>Loupe</phrase>

Thank you
« Last Edit: September 20, 2013, 10:14:39 AM by GMib »

jitterjames

  • Administrator
  • Hero Member
  • *****
  • Posts: 7714
  • Karma: 116
    • View Profile
    • VoxCommando
Re: how to save a payload ?
« Reply #10 on: September 19, 2013, 10:54:04 AM »
Yeah, we just figured this out this morning, and I was about to post.  It was the bytes() part that was messing me up.  I was trying to use a normal string for the path.