• Stars
    star
    298
  • Rank 139,663 (Top 3 %)
  • Language
    C++
  • License
    GNU General Publi...
  • Created over 4 years ago
  • Updated about 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Pure C++, weaponized, fully automated implementation of RottenPotatoNG

Candy Potato (Caramelized Juicy Potato)

Version 0.2 of JuicyPotato. In comparison with version 0.1 (JuicyPotato), this version offers some improvements, such as automating the exploitation.

Overview

This tool has been made on top of the original JuicyPotato, with the main focus on improving/adding some functionalities which was lacking. It is known to work against both Windows Workstation and Server versions up to 8.1 and Server 2016, respectively.

Summary

JuicyPotato leverages the privilege escalation chain based on certain COM Servers, using a MiTM listener hosted on 127.0.0.1, and it works when you have SeImpersonate or SeAssignPrimaryToken privileges. By default, JuicyPotato uses the BITS service CLSID, and provides other tools (a set of PowerShell and Batch scripts), to enumerate and test other CLSIDs.

Although in combination these tools actually do a fantastic job, I've soon realized during my tests that they present some drawbacks:

  • Multiple executable files to be uploaded on the target machines
  • Multiple data files to be created during the CLSID gathering
  • General lack of speed due to this multistep process

The "weakest" point is that different Windows Versions, as well as different configurations often requires to enumerate available CLSID over the target machine and that "try" them, one by one.

I decided then to automate this process in a new version of JuicyPotato, that is Candy Potato.

For additional information, I suggest seeing the original JuicyPotato repository, and follow the references.

Candy details

For backward compatibility, CandyPotato allows you to do whatever you could with JuicyPotato, adding some new gigs:

New Commands

  • INFO mode
    Enumerate suitable CLSIDs and print them back to the user, improving what GetCLSID.ps1 used to do in JuicyPotato v0.1

  • AUTO mode
    Automatically enumerate suitable CLSIDs and try to exploit them

  • Service StartType
    Filter CLSIDs basing on the Service Start Type (Manual, Auto, Disabled, etc) permitting to minimize failures

Old Commands

  • Target CLSID
    Pick any CLSID you want. In the old JuicyPotato Repository you can find the list organized by OS. (Deprecated: Use -Q to discover available CLSIDs)

  • COM Listening port
    define COM listening port you prefer (default 10000)

  • COM Listening IP address
    bind the server on any IP

  • Process creation mode
    depending on the impersonated user's privileges you can choose from:

    • CreateProcessWithToken (needs SeImpersonate)
    • CreateProcessAsUser (needs SeAssignPrimaryToken)
    • both
  • Process to launch
    launch an executable or script if the exploitation succeeds

  • Process Argument
    customize the launched process arguments

  • RPC Server address
    for a stealthy approach you can authenticate to an external RPC server

  • RPC Server port
    useful if you want to authenticate to an external server and firewall is blocking port 135...

  • TEST mode
    mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the user of token.

Usage

T:\>CandyPotato.exe
CandyPotato v0.2

Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch

Optional args:
-l <port>: COM server listen port (default 10000)
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user
-x automatically identifies suitable CLSIDs and attempt exploitation
-s <start-type> [1-4](default 3:[MANUAL])
-Q print available CLSIDs and exit

Example

Considerations

This exploit has been silently mitigated by Microsoft in a completed unrelated update affecting Oxid Resolvers. The full story, and a new exploit ("RoguePotato") capable to bypass the unintended mitigation, can be found at the following addresses:

Credits (JuicyPotato v0.1)

Awesome work done by @decoder-it (decoder_it) and @ohpe (Giutro) on the original Juicy-Potato:

Also I would like to take a moment to say a "Thanks" to @AntonioCoco for the work on RoguePotato:

These guys are amazing.

References

More Repositories

1

inceptor

Template-Driven AV/EDR Evasion Framework
Assembly
1,561
star
2

SysWhispers3

SysWhispers on Steroids - AV/EDR evasion via direct system calls.
Python
1,256
star
3

CVE-2021-40444

CVE-2021-40444 - Fully Weaponized Microsoft Office Word RCE Exploit
HTML
795
star
4

CheeseTools

Self-developed tools for Lateral Movement/Code Execution
C#
683
star
5

SilentMoonwalk

PoC Implementation of a fully dynamic call stack spoofer
C++
665
star
6

chameleon

PowerShell Script Obfuscator
Python
485
star
7

vortex

VPN Overall Reconnaissance, Testing, Enumeration and eXploitation Toolkit
Python
419
star
8

DriverJack

Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths
C++
246
star
9

SharpSelfDelete

C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs
C#
147
star
10

NimlineWhispers3

A tool for converting SysWhispers3 syscalls for use with Nim projects
Nim
137
star
11

RpcProxyInvoke

Simple POC library to execute arbitrary calls proxying them via NdrServerCall2 or similar
C++
100
star
12

klezVirus.github.io

CyberSec Blog
JavaScript
96
star
13

SharpLdapRelayScan

C# Port of LdapRelayScan
C#
77
star
14

koppeling-p

Adaptive DLL hijacking / dynamic export forwarding - EAT preserve
Python
66
star
15

DCKFinder

Dangling COM Keys Finder
C++
14
star
16

deser-node

NodeJS Deserialization Payload Generator
JavaScript
9
star
17

codegrepper

Pure python, self-contained, silly implementation of a SAST tool
Python
8
star
18

mapt-run

Simple script to setup a local hosted network for Mobile Application Penetration Testing
Shell
8
star
19

faceless

Faceless - Simple Tool for Text-File Anonymization
Python
7
star
20

msf-revhttp-gen

Little utility to facilitate Metasploit Reverse HTTP Payloads
Shell
7
star
21

nmap-report

A simple tool that can be use to extract usful information from a nmap scan
Shell
7
star
22

CryptoCheck

NIST-CAVS Extended - Encryption Auto Testing Toolkit
Python
4
star
23

deser-py

Python Deserialization Payload Generator
Python
4
star
24

deser-ruby

Ruby Deserialization Payload Generator
Ruby
4
star
25

nx_reporter

Rapid7 Nexpose template-based report generator
Python
4
star
26

muts-opt-encoder

Independent implementation of the optimized SUB-Encoder
Python
4
star
27

klezVirus

Temporary unavailable...
3
star
28

php-ipfinder

A simple tool to enumerate various info on a set of IP addresses
PHP
2
star
29

cves

Public Advisories Redirector
1
star
30

cors-security-remove

JavaScript
1
star
31

Posts

Offensive Security Certifications Reviews
1
star
32

oldrivrs

some old drivers and misc crap from a while ago
C
1
star