{"id":13827299,"url":"https://github.com/pfussell/pivotal","last_synced_at":"2025-07-09T03:31:52.251Z","repository":{"id":75111807,"uuid":"63402374","full_name":"pfussell/pivotal","owner":"pfussell","description":"A MITM proxy server for reflective DLL injection through WinINet","archived":false,"fork":false,"pushed_at":"2018-05-01T15:59:37.000Z","size":16615,"stargazers_count":15,"open_issues_count":0,"forks_count":13,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-08-05T09:16:09.731Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pfussell.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-07-15T07:46:07.000Z","updated_at":"2024-03-21T09:22:19.000Z","dependencies_parsed_at":"2023-06-05T09:30:40.266Z","dependency_job_id":null,"html_url":"https://github.com/pfussell/pivotal","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfussell%2Fpivotal","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfussell%2Fpivotal/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfussell%2Fpivotal/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pfussell%2Fpivotal/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pfussell","download_url":"https://codeload.github.com/pfussell/pivotal/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225481521,"owners_count":17481174,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T09:01:53.640Z","updated_at":"2024-11-20T06:31:33.859Z","avatar_url":"https://github.com/pfussell.png","language":"C++","funding_links":[],"categories":["\u003ca id=\"42f9e068b6511bcbb47d6b2b273097da\"\u003e\u003c/a\u003e未分类"],"sub_categories":["\u003ca id=\"3bd67ee9f322e2c85854991c85ed6da0\"\u003e\u003c/a\u003e投毒\u0026\u0026Poisoning"],"readme":"pivotal\n=======\n\nBig idea\n- Inject DLL in target IE process using Metasploit's [Reflective DLL Injection](http://blog.harmonysecurity.com/2008/10/new-paper-reflective-dll-injection.html)\n- DLL's DllMain launches a thread\n- The thread starts an HTTP proxy server\n- Proxy server listens for HTTP requests\n- HTTP CONNECT requests to port 443 are intercepted, the proxy returning \"200 Connection established\" then initiating handshake as the requested server\n- If request is encrypted, it is decrypted using keys established during handshake.\n- Proxy server forwards request using WinINet API thereby inheriting any associated credentials from the parent process\n- Proxy server forwards response back to original client, reencrypting response if needed.\n- Server closes when IE process ends\n\nCurrent status\n- driver.exe loads DLL using LoadLibrary\n- DLL's DllMain launches a thread which starts the proxy server\n- Server listens for connections on 0.0.0.0:4040\n- Incoming requests are parsed, transmitted through WinINet, and returned\n- TLS handshakes are partially functional, but won't yet be responded to\n\nBuilding\n- VS2012 solution provided, should work in 2013 too\n- Configured for 32- and 64-bit DLLs (which one do we need?)\n- Requires some C++11 features though this requirement might be removed in the future. If building in VS2012 which lacks some C++11 features, install (updated compiler)[http://www.microsoft.com/en-us/download/details.aspx?id=35515]\n\nTesting\n- Run driver.exe. It expects a dll named pivotal.dll in the same directory.\n- After five seconds, server will start on a separate thread\n- Set proxy setting to use 0.0.0.0:4040\n- All connections will be displayed in the console\n- All non-SLL connections should work!\n- Testing in a lab enviornment verified that the proxy allows access to hosts to which there is an open session.\n  - Testing scinaro used:\n    - Target host is on a remote subnet that is segmented from the attacker by ACL's and stateful inspection\n    - An intermediary can access the target host but only with web traffic\n     - The ideal for testing would be if access to the remote host was restriced by an additional itermediary like a jump box because it is possible to mimic HTTP traffic and fool packet inspection\n    - We compromise the itermediary execute our payload \n    - We can now interact with any host the user has a session open to\n\nTo be done:\n- Create a port scanner that will run over HTTP to play nice with our proxy\n  - Need to do some testing with making requests to ports over HTTP to see how this will work\n- Add HTTPS support. [See example here](http://www.boost.org/doc/libs/1_53_0/doc/html/boost_asio/example/ssl/server.cpp)\n- Actually try injecting this into IE and see what happens\n  - Make the dll reflective for injection (https://github.com/stephenfewer/ReflectiveDLLInjection)\n- Set up to be delivered with MSF\n  - patch the reflective DLL to make it compatible with the dllinject stager\n  - deliver the patched reflective DLL to the dllinject stager\n- SEE: http://blog.strategiccyber.com/2012/09/17/delivering-custom-payloads-with-metasploit-using-dll-injection/\n\nSteps to Creating a Payload\n- Target Vulnerability\n- Setting Up for Development\n- Choosing a Starting Point\n- Development Process Overview\n- Triggering the Vulnerability\n- Sending the Payload\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpfussell%2Fpivotal","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpfussell%2Fpivotal","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpfussell%2Fpivotal/lists"}