From 37799342145af699f57bf61be051db6fa9c97de2 Mon Sep 17 00:00:00 2001 From: Andres D Date: Tue, 24 Dec 2024 12:28:13 +0000 Subject: [PATCH] Added deluserfromgroup bof --- Remote/Remote.cna | 30 +++++ .../deluserfromgroup/deluserfromgroup.x64.o | Bin 0 -> 4078 bytes .../deluserfromgroup/deluserfromgroup.x86.o | Bin 0 -> 4130 bytes src/Remote/deluserfromgroup/Makefile | 25 +++++ src/Remote/deluserfromgroup/entry.c | 106 ++++++++++++++++++ src/common/bofdefs.h | 3 +- 6 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 Remote/deluserfromgroup/deluserfromgroup.x64.o create mode 100644 Remote/deluserfromgroup/deluserfromgroup.x86.o create mode 100644 src/Remote/deluserfromgroup/Makefile create mode 100644 src/Remote/deluserfromgroup/entry.c diff --git a/Remote/Remote.cna b/Remote/Remote.cna index 6e492c0..3ca1e58 100644 --- a/Remote/Remote.cna +++ b/Remote/Remote.cna @@ -1477,6 +1477,36 @@ Usage: addusertogroup " ); +#deluserfromgroup +alias deluserfromgroup +{ + if(size(@_) != 5) + { + berror($1, beacon_command_detail("deluserfromgroup")); + berror($1, "Invalid number of parameters"); + return; + } + beacon_inline_execute($1, readbof($1, "deluserfromgroup"), "go", bof_pack($1, "ZZZZ", $5, $4, $2, $3)); +} + +beacon_command_register( + "deluserfromgroup", + "Remove the specified user from the specified group", + " +Command: deluserfromgroup +Summary: Remove the specified user from the specified group. + +Usage: deluserfromgroup + USERNAME Required. The user name to remove from group. + GROUPNAME Required. The group to remove the user from. + SERVER Required. The target computer to remove the user. use \"\" for the local machine + DOMAIN Required. The domain/computer for the account. You must give + the domain name for the user if it is a domain account, or + use \"\" to target an account on the local machine. + +" +); + #adduser alias adduser { diff --git a/Remote/deluserfromgroup/deluserfromgroup.x64.o b/Remote/deluserfromgroup/deluserfromgroup.x64.o new file mode 100644 index 0000000000000000000000000000000000000000..d0d3ea689ab1dbf7586bee62bea3ced032943cae GIT binary patch literal 4078 zcma)9ZERat89t7kbPX*DV`U(|?!biv*5KQ*EgMD6t)2E7ZaS-R+KF{d9p^f=%YA*M;F1Aa{FF9f2^ehiPWg>2PS(q=6biEiUZrfy?UB-S!^dERrb zkFV$a;7GpbInVo?_q^vlANP9v;WdoPsZPdj6ez;_T>FqKuzYm4!xm!feJN#|Kx-_u zzi&L_W&%15cuPls032YcTHjcu(#*ED?kC-$W``8R-WGqcfxdFHt^nO>=$>0E{eBwN z0E5nH)*S=C#h-&ziueY;_Vs#8)*7n6tfDig-s*W4d0=yxKJzvJvD`wtjL_um-DsaA zyE*myp7}k)q&H_a5S{2c(S8kT{<6L(JNkw>23oHL+?>07eENcWt;zo=g?i0*OG; zbz(h%LH?f6`v;T1WZZT>(RIhX85T)QX5UNl_f39pw8!MLMFPSr+#V8^LXT;2iLq5(NMUKt8_Kn_c z>^1H-_8G`_J!+PB zAl2Cgm3Ogo2K5@bqr8hA^P)R7VsI!YnTTreGF_`)Z(>h$d&^0FUWO`M=od_W9w86N zkQ>3qJ``+{Bb(`{hE1X`iE%ItmUguOhe9>Vg&05vsA4hsJVF!w|DUj8epvI?Bfm2} zk+ontE&ej%N%FH6Ul3XI$2`d*fjuhX!0i20`ssb%{kX~h>@Azvg#G5M5cw_aM{jun znG+|GUp4tZtXZgxlVPlzfB06(85TIn7tLAht~ol=20wlIxM*7ZC6ix~J^j_EMYw_- zh#K3!0p}a=MZnzDH?SoZs%`p(+|>6O19*GoSO4+6=~~xAKc`JN{dP4@s~b=9E3}hl zH(>fqU-TzTYmV)OY5d9053fzv+%$Bbf^Kd-9^Ue$6kJrdDi_;*7h<1#XObKz=S`FU zQ(s&;jFVvqAKmaVp?sXVw9cGe{}|dUPawWIO5e(@Ky)bTJM3t%kb=sGYsrF-gji%7 z>W(n$*wz*cm4Un0vhD}h#XhpXv%EHSO|9c}q;5$25r_&K@-ybQ5Q*AZT-W6#3 zjfT>=_FAYp} z81KVz;Jx_mvL{Oi^Ti2m?Bpx3e9`3`toXU=P{C2Hp$Ig*n zP2arfo_z79&C=jM>BU4FB*L!8^P>W33f-#ER)vy4pTjRA@*;ceQ&tBEH$AN1Q`{3k zn&6(p^9F(5!t)CPZNiF3FP1`k6|xn&SD_y(bWEXBKwlL8)?ziI0^JOx3G^+X8w8pK zlDgjj(R~zQuPWU;N*Bc%OWjtWFA3ckkS5SUAnEUZpf3yVNuW;%^deA?Kyc1_1zH32 z6@d-_N!@pWzACr}f#euRmG!tnzgD`liu;>FaKP5#7pB2{M7#Z3!I4E;X{9Bi{V%Pb zRNQA2(v&r-IGT;@d!w?(6i1&<(%P@Abe1GHpin|tO~qLX(J7Nr(HWC{?^KA+nY8X# z+_*vql(jF1V}%x#4?M;uLUz%04))7=T^Cbbknq;OVQ9 zZjlB<>qmD=gP}7+H;QD$Sf#SKR~ni)G<3T(nD2n0J4P}SB{Wg!rjbnWdz``zhv)_p zA9O-VkKngB0)U3rx48tr!{Hp7W;?Zl-{7>T!Xc5WCSmaV8-YMmz?1URD8X;<4$$Gy zlMQ14m3>T~+u_i40ZRkYZ9==6=GDeZRkvJ4P_(Bd<2soN?E)&2A@oCf_=Q-;e(JZV zlFTn#nE4jwwHD@T3-hr+CZ*@z7KU!PdXbt^3-hBE=4UO;Vhi)v7UthgOecnu>k&P2 z9?dysQL-_3#i}15_Vw(@3QT9!zILj}8s*j_*oGp~oA{=eF6IY^ivMT-zpD&avwqzdg8X z=b&}d=I9RFO*y5kU8$IMrtG^=R^p6+Z-2alm7+gO>Ay+8eU(x6;G zt-ZZ|m_&tMuVGmXK?*-mksvfef`||C2O^MqmD^Y;5=tDac4hxSA`yo8UjpK@%k$3c zj&FPBM@O35XWn_<&zbRz4~AM8wYA$B`!q+9P^YE8U~w#dPB$|a2{BfSit&T^D6H#f z=cHz7b-Wnx8DUOJldP-Od8|~Dg8u`)N<1@Y@cZEYu+d&}_nx4UIEFnR3CiF%xm$fW zAe=!CL*TuPT&dlLPP~kLy|U4^(3hYj*+L|N?3jB8Fv~48N9fC5r`&%-^Oxo`>Y{yp zys{DB@oPS7#}js6B6^l601=_;+(Bctc7fq5?Nm-inZ11TywwUVK~!tpc;&5l_Q*V9 z86TS~$3`j}J!hfM?DQYq%g$p25n+@T& zgq>M)7wvh6%-Dw$(SR~nyXLDMh5}Tb^fl-?q~|5*l&{Uj+U)Y$*Z%2#oUxalZEEKJ z-?JBPp38-HQi*On?U64~h)#K}lE+=U%68?lGp6Th+hY znI(HqV*T9vuIpr$oRcev{z@pb)^YXbPphjh{g?-jAk;-?C)Aidib$IzajdK-Eiz17)9Mp2lUi$(?XDuJ!=m;b`u zz%}=ZSc1xiVqbKZ$$5Pt`5LH;>Ln`ZJi=>7Zv!iig0|LMrua}}&$2_7VY6B*-&0++ z+T3MqEi4jG5Xt##tF9sudu7X1K5Pp1MQnC=d9Ho0%z!-Bc|!(>9Lw^7*sZN%Z~HK@ z)AojUCmjJV75N(uU*T|@S9p_^E`t7E#6L^nVuJ^yJE1 zc|~lgo9AI%bwyTDY-UPK#4S!S?I=jomvIVD2#hmHBS;s-X%*x25=O!R7vw5mVD`mw zSaoxi&oO*g*Pr;e>sD(!UU>(RR9DMmRo5EBlHu$xsh22g3eh_%$jXlKW3mKF#O|Tc zqHmNlHz*PVBpZv>p{j++SBz`{(JgiR}&*h6#%B~S5XByM^ z-o7a;mvmEzCyi+>UsR?{qdcSJw0uFId{o(0c&d)qG(&#Q&N_b=qo^U$F#7QrR;k^ zWW9x*!!IsCpf~WVaI_Oq3U7NPN=fuZi8P6(B`QnwGoVj!dtt1=Cpo$gNcimq5`JF; z61=y8?&Z9{O5Sa#uHcOW3En9ns(uUm5s;qDER3cL%1$y*yjI*RflMy_o#)K!otwrs@)4AomZ*l|x4nMsO#BX>K1Okr#S1?HXt~aD7eN%{D zSj?Z2x*RGGgeOBJ8Izb2p>GcvAUOK`}9Hvm+gLB!F~Ly z?WdbIAU{a=st|7-#YEXOaSGwRl%GXZ+5GfOHajpf);m0!fG+M^U${@#CXC{fVh03? zIa8OqPo#$j(+3~wPW0>6kZDZlrP2Xin@M*0b|itsDe{n1yZuSe^K+#luL|-P5e1a? z!(E+@oEy(i>b=J`bJQ3p7p(lg7cD)BH^2u?$jMQ|*GP8n@o9tU(bUl6h<{MGc;&n@ z*E#fpe14)dp<(?*g!OuxWry;BK7C9#OUZ6o0a3|5{I@=&nI&1dO>z1K9IFXwT1*Vl IHp#L70e+FEzW@LL literal 0 HcmV?d00001 diff --git a/src/Remote/deluserfromgroup/Makefile b/src/Remote/deluserfromgroup/Makefile new file mode 100644 index 0000000..659dd7a --- /dev/null +++ b/src/Remote/deluserfromgroup/Makefile @@ -0,0 +1,25 @@ +BOFNAME := deluserfromgroup +COMINCLUDE := -I ../../common +LIBINCLUDE := -lnetapi32 +CC_x64 := x86_64-w64-mingw32-gcc +CC_x86 := i686-w64-mingw32-gcc +CC := x86_64-w64-mingw32-clang + +all: + $(CC_x64) -o $(BOFNAME).x64.o $(COMINCLUDE) -Os -c entry.c -DBOF + $(CC_x86) -o $(BOFNAME).x86.o $(COMINCLUDE) -Os -c entry.c -DBOF + mkdir -p ../../../Remote/$(BOFNAME) + mv $(BOFNAME)*.o ../../../Remote/$(BOFNAME) + +test: + $(CC_x64) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x64.exe + $(CC_x86) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).x86.exe + +scanbuild: + $(CC) entry.c $(COMINCLUDE) $(LIBINCLUDE) -o $(BOFNAME).scanbuild.exe + +check: + cppcheck --enable=all --suppress=missingIncludeSystem --suppress=unusedFunction $(COMINCLUDE) --platform=win64 entry.c + +clean: + rm $(BOFNAME).*.exe \ No newline at end of file diff --git a/src/Remote/deluserfromgroup/entry.c b/src/Remote/deluserfromgroup/entry.c new file mode 100644 index 0000000..a4799b0 --- /dev/null +++ b/src/Remote/deluserfromgroup/entry.c @@ -0,0 +1,106 @@ +#include +#include +#include +#include "beacon.h" +#include "bofdefs.h" +#include "base.c" + + +DWORD DelUserFromDomainGroup(LPCWSTR lpswzServer, LPCWSTR lpswzUserName, LPCWSTR lpswzGroupName) +{ + NET_API_STATUS dwErrorCode = NERR_Success; + dwErrorCode = NETAPI32$NetGroupDelUser(lpswzServer, lpswzGroupName, lpswzUserName); + return dwErrorCode; +} + +DWORD DelUserFromLocalGroup(LPCWSTR lpswzServer, LPCWSTR lpswzUserName, LPCWSTR lpswzGroupName, LPCWSTR lpswzDomainName) +{ + NET_API_STATUS dwErrorCode = NERR_Success; + LOCALGROUP_MEMBERS_INFO_3 mi[1] = {0}; // https://learn.microsoft.com/en-us/windows/win32/api/lmaccess/ns-lmaccess-localgroup_members_info_3 + mi[0].lgrmi3_domainandname = intAlloc(1024); + if (lpswzDomainName != NULL) + { + MSVCRT$wcscat(mi[0].lgrmi3_domainandname, lpswzDomainName); + MSVCRT$wcscat(mi[0].lgrmi3_domainandname, L"\\"); + } + MSVCRT$wcscat(mi[0].lgrmi3_domainandname, lpswzUserName); + dwErrorCode = NETAPI32$NetLocalGroupDelMembers(lpswzServer, lpswzGroupName, 3, (LPBYTE)mi, 1); + return dwErrorCode; +} + +#ifdef BOF +VOID go( + IN PCHAR Buffer, + IN ULONG Length +) +{ + DWORD dwErrorCode = ERROR_SUCCESS; + datap parser = {0}; + BeaconDataParse(&parser, Buffer, Length); + LPCWSTR lpswzDomainName = (LPCWSTR)BeaconDataExtract(&parser, NULL); // $5 + LPCWSTR lpswzHostName = (LPCWSTR)BeaconDataExtract(&parser, NULL); // $4 + LPCWSTR lpswzUserName = (LPCWSTR)BeaconDataExtract(&parser, NULL); // $2 + LPCWSTR lpswzGroupName = (LPCWSTR)BeaconDataExtract(&parser, NULL);// $3 + if(lpswzHostName[0] == L'\0'){lpswzHostName = NULL;} + if(lpswzDomainName[0] == L'\0'){lpswzDomainName = NULL;} + + if(!bofstart()) + { + return; + } + + if (lpswzDomainName == NULL && lpswzHostName != NULL) + { + BeaconPrintf(CALLBACK_OUTPUT, "Removing %S from %S\n", lpswzUserName, lpswzGroupName); + dwErrorCode = DelUserFromDomainGroup(lpswzHostName, lpswzUserName, lpswzGroupName); + if ( ERROR_SUCCESS != dwErrorCode ) + { + BeaconPrintf(CALLBACK_ERROR, "Removing user from domain group failed: %lX\n", dwErrorCode); + goto go_end; + } + } + else if (lpswzHostName == NULL) + { + BeaconPrintf(CALLBACK_OUTPUT, "Removing %S from local group %S\n", lpswzUserName, lpswzGroupName); + dwErrorCode = DelUserFromLocalGroup(lpswzHostName, lpswzUserName, lpswzGroupName, lpswzDomainName); + if (ERROR_SUCCESS != dwErrorCode) + { + BeaconPrintf(CALLBACK_ERROR, "Unable to remove user to local group %lX\n", dwErrorCode); + goto go_end; + } + } + internal_printf("SUCCESS.\n"); + +go_end: + printoutput(TRUE); + bofstop(); +}; +#else +#define TEST_USERNAME L"localadmin2" +#define TEST_HOSTNAME L"" +#define TEST_GROUPNAME L"Remote Desktop Users" +#define TEST_DOMAIN L"WOOT" + +int main(int argc, char ** argv) +{ + DWORD dwErrorCode = ERROR_SUCCESS; + LPCWSTR lpswzHostName = TEST_HOSTNAME; + LPCWSTR lpswzUserName = TEST_USERNAME; + LPCWSTR lpswzGroupName = TEST_GROUPNAME; + LPCWSTR lpswzDomainName = TEST_DOMAIN; + + internal_printf("Removing %S from %S\n", lpswzUserName, lpswzGroupName); + + dwErrorCode = DelUserFromLocalGroup(lpswzHostName, lpswzUserName, lpswzGroupName, lpswzDomainName); + if ( ERROR_SUCCESS != dwErrorCode ) + { + BeaconPrintf(CALLBACK_ERROR, "Removing user from group failed: %lX\n", dwErrorCode); + goto main_end; + } + + internal_printf("SUCCESS.\n"); + +main_end: + return dwErrorCode; +} +#endif \ No newline at end of file diff --git a/src/common/bofdefs.h b/src/common/bofdefs.h index 70e7e0a..7850514 100644 --- a/src/common/bofdefs.h +++ b/src/common/bofdefs.h @@ -217,12 +217,13 @@ WINBASEAPI DWORD WINAPI NETAPI32$NetQueryDisplayInformation(LPCWSTR ServerName,D WINBASEAPI DWORD WINAPI NETAPI32$NetLocalGroupEnum(LPCWSTR servername,DWORD level,LPBYTE *bufptr,DWORD prefmaxlen,LPDWORD entriesread,LPDWORD totalentries,PDWORD_PTR resumehandle); WINBASEAPI DWORD WINAPI NETAPI32$NetLocalGroupGetMembers(LPCWSTR servername,LPCWSTR localgroupname,DWORD level,LPBYTE *bufptr,DWORD prefmaxlen,LPDWORD entriesread,LPDWORD totalentries,PDWORD_PTR resumehandle); WINBASEAPI DWORD WINAPI NETAPI32$NetLocalGroupAddMembers(LPCWSTR servername,LPCWSTR groupname,DWORD level,LPBYTE buf,DWORD totalentries); +WINBASEAPI DWORD WINAPI NETAPI32$NetLocalGroupDelMembers(LPCWSTR servername,LPCWSTR groupname,DWORD level,LPBYTE buf,DWORD totalentries); WINBASEAPI DWORD WINAPI NETAPI32$NetUserSetInfo(LPCWSTR servername,LPCWSTR username,DWORD level,LPBYTE buf,LPDWORD parm_err); WINBASEAPI DWORD WINAPI NETAPI32$NetShareEnum(LMSTR servername,DWORD level,LPBYTE *bufptr,DWORD prefmaxlen,LPDWORD entriesread,LPDWORD totalentries,LPDWORD resume_handle); WINBASEAPI DWORD WINAPI NETAPI32$NetSessionEnum(LPCWSTR servername, LPCWSTR UncClientName, LPCWSTR username, DWORD level, LPBYTE* bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resumehandle); WINBASEAPI DWORD WINAPI NETAPI32$NetApiBufferFree(LPVOID Buffer); WINBASEAPI DWORD WINAPI NETAPI32$NetGroupAddUser(LPCWSTR servername,LPCWSTR GroupName,LPCWSTR userName); -WINBASEAPI DWORD WINAPI NETAPI32$NetGroupAddUser(LPCWSTR servername,LPCWSTR GroupName,LPCWSTR userName); +WINBASEAPI DWORD WINAPI NETAPI32$NetGroupDelUser(LPCWSTR servername,LPCWSTR GroupName,LPCWSTR userName); WINBASEAPI DWORD WINAPI NETAPI32$NetUserAdd(LPCWSTR servername, DWORD level, LPBYTE buf, LPDWORD parm_err); //MPR