GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → klezVirus → CandyPotato

klezVirus / CandyPotato

Licence: GPL-3.0 license
Pure C++, weaponized, fully automated implementation of RottenPotatoNG

Programming Languages

C++
36643 projects - #6 most used programming language
HTML
75241 projects
c
50402 projects - #5 most used programming language

Labels

exploitationprivescjuicy-potato

Projects that are alternatives of or similar to CandyPotato

Awesome Bbht
A bash script that will automatically install a list of bug hunting tools that I find interesting for recon, exploitation, etc. (minus burp) For Ubuntu/Debain.
Stars: ✭ 190 (-31.65%)
Mutual labels:  exploitation
Insecureprogramming
mirror of gera's insecure programming examples | http://community.coresecurity.com/~gera/InsecureProgramming/
Stars: ✭ 229 (-17.63%)
Mutual labels:  exploitation
PLtools
整理一些内网常用渗透小工具
Stars: ✭ 227 (-18.35%)
Mutual labels:  exploitation
Ps4 6.20 Webkit Code Execution Exploit
A WebKit exploit using CVE-2018-4441 to obtain RCE on PS4 6.20.
Stars: ✭ 197 (-29.14%)
Mutual labels:  exploitation
Tigershark
Bilingual PhishingKit. TigerShark intergrates a vast array of various phishing tools and frameworks, from C2 servers, backdoors and delivery methods in multiple scripting languages in order to suit whatever your deployment needs may be.
Stars: ✭ 212 (-23.74%)
Mutual labels:  exploitation
Injectopi
A set of tutorials about code injection for Windows.
Stars: ✭ 237 (-14.75%)
Mutual labels:  exploitation
Vulnerable Kext
A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation
Stars: ✭ 188 (-32.37%)
Mutual labels:  exploitation
bisc
Borrowed Instructions Synthetic Computation
Stars: ✭ 71 (-74.46%)
Mutual labels:  exploitation
Shellab
Linux and Windows shellcode enrichment utility
Stars: ✭ 225 (-19.06%)
Mutual labels:  exploitation
Droid Application Fuzz Framework
Android application fuzzing framework with fuzzers and crash monitor.
Stars: ✭ 248 (-10.79%)
Mutual labels:  exploitation
Ciscorv320dump
CVE-2019-1652 /CVE-2019-1653 Exploits For Dumping Cisco RV320 Configurations & Debugging Data AND Remote Root Exploit!
Stars: ✭ 198 (-28.78%)
Mutual labels:  exploitation
Cve 2019 9810
Exploit for CVE-2019-9810 Firefox on Windows 64-bit.
Stars: ✭ 200 (-28.06%)
Mutual labels:  exploitation
Xxexploiter
Tool to help exploit XXE vulnerabilities
Stars: ✭ 243 (-12.59%)
Mutual labels:  exploitation
Xrop
Tool to generate ROP gadgets for ARM, AARCH64, x86, MIPS, PPC, RISCV, SH4 and SPARC
Stars: ✭ 195 (-29.86%)
Mutual labels:  exploitation
reosploit
A Tool that Finds, Enumerates, and Exploits Reolink Cameras.
Stars: ✭ 89 (-67.99%)
Mutual labels:  exploitation
Exploitation Course
Offensive Software Exploitation Course
Stars: ✭ 189 (-32.01%)
Mutual labels:  exploitation
Commix
Automated All-in-One OS Command Injection Exploitation Tool.
Stars: ✭ 3,016 (+984.89%)
Mutual labels:  exploitation
inthewilddb
Hourly updated database of exploit and exploitation reports
Stars: ✭ 127 (-54.32%)
Mutual labels:  exploitation
tryhackme-ctf
TryHackMe CTFs writeups, notes, drafts, scrabbles, files and solutions.
Stars: ✭ 140 (-49.64%)
Mutual labels:  exploitation
Idacyber
Data Visualization Plugin for IDA Pro
Stars: ✭ 244 (-12.23%)
Mutual labels:  exploitation
View All Similar Projects ➔

Candy Potato (Caramelized Juicy Potato)

Version 0.2 of JuicyPotato. In comparison with version 0.1 (JuicyPotato), this version offers some improvements, such as automating the exploitation.

Overview

This tool has been made on top of the original JuicyPotato, with the main focus on improving/adding some functionalities which was lacking. It is known to work against both Windows Workstation and Server versions up to 8.1 and Server 2016, respectively.

Summary

JuicyPotato leverages the privilege escalation chain based on certain COM Servers, using a MiTM listener hosted on 127.0.0.1, and it works when you have SeImpersonate or SeAssignPrimaryToken privileges. By default, JuicyPotato uses the BITS service CLSID, and provides other tools (a set of PowerShell and Batch scripts), to enumerate and test other CLSIDs.

Although in combination these tools actually do a fantastic job, I've soon realized during my tests that they present some drawbacks:

  • Multiple executable files to be uploaded on the target machines
  • Multiple data files to be created during the CLSID gathering
  • General lack of speed due to this multistep process

The "weakest" point is that different Windows Versions, as well as different configurations often requires to enumerate available CLSID over the target machine and that "try" them, one by one.

I decided then to automate this process in a new version of JuicyPotato, that is Candy Potato.

For additional information, I suggest seeing the original JuicyPotato repository, and follow the references.

Candy details

For backward compatibility, CandyPotato allows you to do whatever you could with JuicyPotato, adding some new gigs:

New Commands

  • INFO mode
    Enumerate suitable CLSIDs and print them back to the user, improving what GetCLSID.ps1 used to do in JuicyPotato v0.1

  • AUTO mode
    Automatically enumerate suitable CLSIDs and try to exploit them

  • Service StartType
    Filter CLSIDs basing on the Service Start Type (Manual, Auto, Disabled, etc) permitting to minimize failures

Old Commands

  • Target CLSID
    Pick any CLSID you want. In the old JuicyPotato Repository you can find the list organized by OS. (Deprecated: Use -Q to discover available CLSIDs)

  • COM Listening port
    define COM listening port you prefer (default 10000)

  • COM Listening IP address
    bind the server on any IP

  • Process creation mode
    depending on the impersonated user's privileges you can choose from:

    • CreateProcessWithToken (needs SeImpersonate)
    • CreateProcessAsUser (needs SeAssignPrimaryToken)
    • both

  • Process to launch
    launch an executable or script if the exploitation succeeds

  • Process Argument
    customize the launched process arguments

  • RPC Server address
    for a stealthy approach you can authenticate to an external RPC server

  • RPC Server port
    useful if you want to authenticate to an external server and firewall is blocking port 135...

  • TEST mode
    mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the user of token.

Usage

T:\>CandyPotato.exe
CandyPotato v0.2

Mandatory args:
-t createprocess call: <t> CreateProcessWithTokenW, <u> CreateProcessAsUser, <*> try both
-p <program>: program to launch

Optional args:
-l <port>: COM server listen port (default 10000)
-m <ip>: COM server listen address (default 127.0.0.1)
-a <argument>: command line argument to pass to program (default NULL)
-k <ip>: RPC server ip address (default 127.0.0.1)
-n <port>: RPC server listen port (default 135)
-c <{clsid}>: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-z only test CLSID and print token's user
-x automatically identifies suitable CLSIDs and attempt exploitation
-s <start-type> [1-4](default 3:[MANUAL])
-Q print available CLSIDs and exit

Example

Considerations

This exploit has been silently mitigated by Microsoft in a completed unrelated update affecting Oxid Resolvers. The full story, and a new exploit ("RoguePotato") capable to bypass the unintended mitigation, can be found at the following addresses:

Credits (JuicyPotato v0.1)

Awesome work done by @decoder-it (decoder_it) and @ohpe (Giutro) on the original Juicy-Potato:

Also I would like to take a moment to say a "Thanks" to @AntonioCoco for the work on RoguePotato:

These guys are amazing.

References

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].